Why SPAN when you can Tap?
In networking, as is the case with life, there are usually multiple ways of trying to get to the same conclusion, with a favorite Hindi term capturing the quick and dirty but expedient and initially convenient approach, jugaad. Some would call this approach, and the cobbled together vehicles assembled from buckboards and industrial pump motors an expedient use of limited resources, others “illegal, dumb and dangerous” and one of India's most over-rated ideas.
When you need to get data on the data flowing through your network, the layperson might first turn to the switches on that network. Networking giant Cisco rolled out a feature called SPAN, Switched Port ANalyzer, a form of port mirroring, which was intended to help provide data needed for network analytics. While well intended, this approach has proven to be somewhat limited in that while it is convenient to use the switches you already have in your network, port mirroring is prone to dropped packets, particularly at higher speeds and also will not replicate lower level errors and issues that the switch cannot handle. Considering the fact that there are other, ultimately better and more cost effective approaches, some would even say that there are aspects of jugaad to be found in SPAN.
Enter the Network Tap
At Ixia we have long been proponents of a different, and what we feel is better, approach to getting network traffic to the right security and analytic tools – the network tap. Instead of (imperfectly) mirroring a switch port, the obvious solution, taps dig a bit deeper into the OSI stack and get you data from the PHY layer.
Another advantage to taps vs SPAN is that you are not adding any sort of processing burden to your switch. From the outside, it is easy to fall into the trap of assuming that all sorts of features that exist on a switch (or as the case might be, some of our competitor’s packet brokers) such as filtering can be used without bogging down the device or risking dropped packets.
Kinds of Ethernet Taps
There are a number of different kinds of taps, with specific types being appropriate for specific types of networks.
Ixia has a number of optical tap offerings, including fiberoptic Flex Taps, a flexible, scalable solution for situations requiring passive optical taps. In contrast, we also have a much more minimalistic optical tap, the Patch Tap, for use directly in patch panels.
Running copper ethernet? No problem, we also have copper taps. Similar to our optical taps, copper taps have no IP address and are thus effectively unhackable.
Have a full duplex connection that you want to monitor? Consider a tap aggregator, available as both a copper tap aggregator as well as fiber tap aggregator. Traffic is passed as it comes it, so your tools see real copies of real packets.
Need to make multiple copies of traffic on a particular link? We have both fiber regeneration taps and copper regeneration taps that can do that for you. Regen taps are cost effective, easy to deploy, easy to configure and don’t modify traffic so your tools see the packets as they flow on your network as you would expect.
Whether you are monitoring your network or feeding security and other tools, there is more than one way to get to where you are going. For quick and dirty stuff or if you are just playing in a sandbox, SPAN may be OK. If you are supporting a production network, particularly if that network is core to your business or if you are doing something intended to be in place for a long time, you probably should look at doing it the right way and using taps to build the foundation of your security or visibility layer. This approach takes a little more up front, but delivers down the line by not bogging down switches or consuming switch ports while providing tools with better, unmolested packets and data. Think about it, if you have a nice car in the garage, are you really going to bolt that industrial pump motor to an improvised buckboard and take it for a spin?