How to configure the card for an optical TAP, SPAN, or other
You must make configuration changes to the capture card depending upon whether you connect to a SPAN/mirror port, a passive optical TAP, or to a switch aggregator or conversion TAP using fiber.
For fiber optic connections that require a splitter: these steps assume you are using the VIAVI optical Y-splitter cable, as it is unable to inject light back into the upstream network link and the provided steps assume the cable is being used. If a third-party optical splitter cable is used instead when Tx Enable is enabled on those capture card ports, it could cause interference with the upstream network link because the cable could inject light back into the upstream network link. To summarize, the steps listed for fiber optic connections in this document might not represent the best course of action if you are using a third-party optical splitter.
Auto-negotiation sets the correct port speed between a capture card port and a network device. The network devices connected to the capture card typically include network TAPs, SPANs or mirror ports from a switch, and feeds from a network packet broker or switch aggregator. Here are some general best practices:
Auto-negotiation must be disabled when connecting the capture card to a passive, fiber-optic TAP.
Auto-negotiation must be enabled when connecting the capture card to copper SPAN or mirror ports.
To configure the capture card to properly connect to a network device:
1. In your version of Windows, open Device Manager.
2. In the tree on the right, expand Viavi Solutions Inc. Capture Adapters.
3. Right-click the capture card entry and choose Properties.
4. Click the Advanced Properties tab.
5. Do one of the following, and ensure the same settings are set for each capture card port that makes up a link:
If you are connecting a passive, optical TAP to the capture card:
Clear Auto-Neg Enable (off).
Clear Tx Enable (off).
If you are connecting a copper SPAN/mirror port to the capture card:
Select Auto-Neg Enable (on).
Select Tx Enable (on).
If you are connecting a fiber optic mirror port from a switch or conversion TAP to the capture card:
Clear Auto-Neg Enable (on).
Select Tx Enable (on).
For connecting a fiber optic mirror port from a switch, some switches need Tx Enable turned on for those capture card ports to establish a connection. If this results in problems, turn off Tx Enable. Similarly, the correct setting for Auto-Neg Enable can change depending on your hardware and environment, so enable or disable it if you encounter problems.
Figure 99: Capture card Advanced Properties
Each configured and cabled capture card port to your device(s) should establish a working connection.
When to use a SPAN/mirror port
The advantage of using a SPAN/mirror port is its cost, as a SPAN/mirror port is included for free with nearly every managed switch. A SPAN/mirror port is also remotely configurable, allowing you to change which ports are mirrored from the switch management console.
There are some limitations in using a SPAN/mirror port. Limitations of a SPAN/mirror port stem from the aggregation necessary to merge full-duplex network traffic into a single receive channel. For examples, when traffic levels on the network exceed the output capability of the SPAN/mirror port, the switch is forced to drop packets. Another reason that a SPAN/mirror port may not be the right choice is because Layer 1 and 2 errors are not mirrored and therefore never reach the analyzer. When performing network troubleshooting, seeing these errors can be important.
When monitoring with a SPAN/mirror port on a switch, the switch does three things:
Copies both the send and receive data channels
Reconstructs an integrated data stream from the two channels
Routes the integrated signal to the send channel of the SPAN/mirror port
Each of these activities burdens the switch’s internal processor. These demands on the switch’s CPU have implications for both your monitoring equipment and general network performance. Using a SPAN/mirror port to capture network traffic for analysis presents the following risks:
As total bandwidth usage for both channels exceeds the capacity of the outbound link to the analyzer, the excess traffic is dropped from the analyzer stream. There simply is not enough bandwidth to transmit both sides of the full-duplex traffic across a single standard interface.
The switch’s CPU must act as both a network switch and a packet-copier. The switch’s CPU must also integrate the two data streams (send and receive) together correctly. Both packet copy/re-direction and channel integration is affected by switch load. This means the SPAN/mirror port may not deliver accurate captures when the switch is under heavy load. Monitoring a 10/100 network through a Gigabit SPAN/mirror port and analyzer does not alleviate these concerns. Also, there is no notification when the SPAN/mirror port is dropping packets or delivering inaccurate time stamps.
A SPAN/mirror port can deliver satisfactory results when used to monitor lightly used, non-critical networks. If network utilization exceeds the capacity of the outbound (analyzer) link, packet loss results—which invalidates many types of analysis, and makes monitoring for certain kinds of network activity impractical. For example, you might miss a virus signature because packets are being dropped. When analyzing a transaction or connection problem, the analyzer may detect problems where none exist because expected packets are being dropped by the SPAN/mirror port. Hardware and media errors will also be impossible to troubleshoot through a SPAN/mirror port, as these errors are not mirrored to the analyzer.