Monitoring half-duplex and full-duplex Ethernet links
If your IT department is typical, you have a limited budget. Therefore, before you spend any money on analyzers, TAPs, and probes, you should assess what kinds of traffic you need to see and what kinds of traffic you want to see for effective network management. This allows you to deploy the correct technology needed to meet your particular goals.
On wired networks with multiple switches, most of the stations are plugged into half-duplex ports, even if the backbone or server connections are Gigabit Ethernet or greater. Being able to see the traffic local to each switch at the edge can give you insight unavailable from tapping the core connections. For example, client-to-client communications are invisible from the backbone or server connections. It can also be useful to isolate a segment when troubleshooting client-to-core connection problems. The best way to achieve this kind of visibility is to configure SPAN/mirror sessions on each switch, and then direct the SPAN/mirror output to half-duplex probes.
A SPAN/mirror port duplicates the traffic on a switch port or a group of ports, and sends the copied data to an analyzer. Using a SPAN/mirror port and half-duplex probes are inexpensive and convenient, but cannot give you all the visibility you need to manage and troubleshoot a network that also includes gigabit, WAN, and wireless infrastructure. For networks that include these other topologies, other solutions are needed.
Because full-duplex Ethernet lies at the core of most corporate networks, ensuring completely transparent analyzer access to full-duplex Ethernet traffic is critical. A SPAN/mirror port access is fine for the half-duplex Ethernet connections to stations at the edge, but may be unable to keep up with the higher-traffic full duplex links to the core.
There are three common ways for a probe or analyzer to gain access to full-duplex streams of data flowing on Ethernet cables:
Connect the probe to a SPAN/mirror port. A SPAN/mirror port can provide a copy of all designated traffic on the switch in real time, assuming bandwidth utilization is below 50% of full capacity.
Deploy a port aggregator (sometimes called an “Aggregator TAP”) on critical full-duplex links.
Deploy a TAP (Test Access Port) on critical full-duplex links to capture traffic. For some types of traffic such as full-duplex gigabit links, TAPs are the only way to guarantee complete analysis, especially when traffic levels are high.
Connecting a probe to a switch SPAN/mirror port or aggregator can provide adequate visibility into most of the traffic local to the switch, assuming that bandwidth utilization is low. However, if the aggregate switch traffic ever exceeds 50% bandwidth saturation, SPAN/mirror ports and aggregators simply cannot transmit the data fast enough to keep up; dropped packets (and perhaps sluggish switch performance) will result. This is because SPAN/mirror ports and aggregators are designed to connect to a standard NIC, which allows them only one side of the full duplex link to transmit data. A TAP, however, is designed to connect to a dual-receive capture card. By sending data on both sides of the link to the capture card, a TAP has double the transmission capability of the other options, allowing it to mirror both sides of a fully saturated link with no dropped packets and no possibility of degrading switch performance. And regardless of utilization, SPAN/mirror ports filter out physical layer error packets, rendering them invisible to your analyzer.
The most critical parts of your network are almost by definition those that see the most traffic. If your network includes a business-critical link (for example, the gigabit link that connects the customer service database to the core switch), a TAP connected to a compatible probe or analyzer is the only way to ensure both complete visibility and complete transparency to the network, regardless of how saturated with traffic the link becomes.