Make The Right Choice For Monitoring Data Capture
When monitoring a data network, you need quick and easy data access. A short delay or capturing the wrong data, can cost you thousands of dollars and result in longer troubleshooting time.
Keep in mind that you have choices when collecting monitoring data. Your choice of network monitoring equipment will affect the complexity and effectiveness of your monitoring strategy. The two most common ways of accessing monitoring data are through either a switched port analyzer (SPAN) port or a test access port (Tap).
A tap is a purpose-built device that passively makes a copy of network data but does not alter the data. Once you install it, you are done. No programming is required.
SPAN ports, also called mirror ports, are part of Layer 2 and 3 network switches. They are active devices and will require you to program them to copy the data desired.
Taps are the best choice when it comes to ease of data capture, versatility of location for data capture, and programming costs. Read this whitepaper to get more information on how to dimension taps within your network.
There is a clear difference between taps and SPANs. Taps offer significant advantages over SPAN ports when monitoring the network.
One benefit is that you can "set and forget" taps because they are a one-time intrusion to the network. SPAN ports require you to configure the switch (or switches) every time you want to change the switch data that needs to be copied.
Once installed, taps and a network packet broker eliminate the need for many Change Board Review processes because you do not need to touch the live network. You just filter and analyze the readily available monitoring data to get the troubleshooting, performance, security-related, and compliance data you need.
Taps are also versatile and you can deploy them anywhere across your network. This gives you the ability to tap ingress, egress, remote links, problem links, etc. with almost no restrictions, unlike the SPAN port which is tied specifically to a network switch and the switch’s physical location.
Take a look at this solution brief to see the differences.
Keep in mind is that network switches (and their SPAN ports) introduce mechanisms on ingress ports to eliminate corrupt packets and also packets that are below a minimum size. While this may sound beneficial, the problem with this approach is that monitoring devices for troubleshooting normally require the capture of all data within the egress segment. Key clues can be contained in this data. Switches and SPAN ports can drop Layer 1 and select Layer 2 data as well, depending on priority level.
By contrast, a tap passes on all of the data on a link. This includes capturing everything needed to properly troubleshoot common physical layer problems, including bad frames that can be caused by a faulty NIC.
Watch this webinar to get more details. Webinar: Tap More. Worry Less.
The chart to the right is an attempt to perform an “apples to apples” comparison with respect to SPAN port and Tap port programming.
- The cost to administer a Tap is typically $0
- Proper SPAN port mirroring requires a network engineer to configure the switches (CLI programming + filter validation)
- Labor rate = $100/hr
- Programming for each SPAN session get progressively more time intensive to create a correct filter and troubleshoot it
Administration costs for SPAN sessions start Day 1. In this conservative example, the average annual recurring maintenance costs ($6,890) for SPAN sessions could have been redeployed to buy an average of 10 Taps (annually).
Configuration Programming Cost Comparison
(for 1st year)
|Provisioning||Tap Cost||SPAN Session Cost|
|SPAN session planning||$0||$3,600|
Is Partial Coverage Good Enough?
Taps offer the ability to collect data anywhere in the network, not just where the Layer 2 or Layer 3 switches are located.
Tap vs SPAN Comparison Table
While SPAN ports create a mirrored copy of network data, there are a host of issues associated with them and you need to factor this into your monitoring strategy. See the adjacent table for a comparison of the two data capture methods.
|Provides access to monitoring packets||×||×|
|Delivers a complete copy (100%) of data (including bad data vital for diagnosis)||×|
|Has full system resource priority during crisis (i.e., does not drop frames)||×|
|Less vulnerable to security attacks||×|
|Does not create unnecessary, duplicate packets||×|
|Does not create time stamp issues||×|
|Recommended for lawful intercept||×|
|Relieves SPAN port contention||×|
|Plug & play: no configuration needed||×|
The following resources are available to help you with your research.