When to use the Aggregator TAP
The Aggregator TAP offers a compromise between the SPAN/mirror port and full-duplex TAP options. It costs more than a full-duplex TAP due to the added complexity and memory requirements of its built-in buffer.
The Aggregator TAP does not require a specialized (and potentially more expensive) analyzer with a dual-receive capture interface. Like a full-duplex TAP, it is independent of the network, making it immune to security threats.
The Aggregator TAP includes an internal buffer to mitigate the bandwidth problem associated with converging both sides of the full-duplex traffic from the network into one side of the full-duplex link to the analyzer. The buffer is able to cache some spikes in network utilization, but the Aggregator TAP drops packets when the bursts of activity exceed its buffer capacity.
The Aggregator TAP is ideally suited to work with an analysis device with a standard, single-receive capture interface or NIC. This means that a laptop or a standard system can be deployed as an analyzer rather than the more expensive specialized analyzers or appliances that are designed to accept full duplex traffic through a dual-receive capture interface.
Just like a SPAN/mirror port, the Aggregator TAP is ideal for a lightly used network that occasionally has utilization peaks above the capture capacity of the analyzer. Unlike a SPAN/mirror port, the Aggregator TAP will forward Layer 1 and 2 errors to the analysis device.
Another advantage the Aggregator TAP has over a SPAN/mirror port session is its internal memory buffer. The memory buffer provides limited protection against packet loss, and if the network utilization does not regularly exceed the capacity of the analyzer’s capture card, an Aggregator TAP may be the right choice.
The appropriate solution for capturing full-duplex data for analysis depends on the rates of traffic you must monitor, and what level of visibility you require. When monitoring a lightly-used network, using a SPAN/mirror port or Aggregator TAP to supply an analysis device with a standard NIC (i.e., single-receive) interface can be an economical choice. The Aggregator TAP can provide protection against packet loss, but if usage spikes exceed its buffer capacity before the link to the analyzer can catch up, the Aggregator TAP drops packets.
To monitor a critical, heavily utilized full-duplex link, a full-duplex TAP is the only alternative. Monitoring a full-duplex connection using a full-duplex TAP and an analyzer with a dual-receive capture interface guarantees complete, full-duplex capture for monitoring, analysis, and intrusion detection regardless of bandwidth saturation.
Choosing the Aggregator TAP buffer size
With the understanding that the Aggregator TAP is designed for use on network links with low-to-moderate utilization, they do have their place. You should know what your network utilization is before you decide to use the Aggregator TAP.
If your network utilization is too high, the Aggregator TAP may not be the correct solution for you.
The internal buffer helps absorb traffic spikes of over 50% full-duplex bandwidth saturation (100% when both data streams are combined), because the analyzer’s single receive interface is limited to line rate, and the amount of data on the network under analysis can be two times the line rate. The data in the buffer is released when utilization drops to the point where the analyzer interface can move both the “live” data plus the data released from the buffer. Packet loss is unavoidable if the utilization spikes exceed the capacity of the buffer. Packet loss occurs only to the analyzer. No traffic loss occurs between Link A (typically a router, firewall, or server) and Link B (typically a switch).
To monitor links that are well over 50% utilization for minutes at a time, a full-duplex TAP may be a better choice.
After the buffer is full, the Aggregator TAP will drop packets. Use Figure 4 to choose the best buffer size for your Aggregator TAP. The graph shows the buffer size and duration of traffic spikes that the buffer can absorb.
Note: The Link side and Analyzer side of the Aggregator TAP negotiate their connections independent of each other. This means that the Link side can be at a speed slower than or up to the same speed as the Analyzer side. It cannot be faster than the Analyzer side. This is true whether you use a copper or optical connection to the analyzer. For instance, if your Link side is at 10 Mb or 100 Mb and your analyzer connection is 1 Gb, the TAP sends data to the analyzer at 1 Gb, known as up-converting, and there is no chance of over-subscribing the buffer. If your Link side is 1 Gb, then your connection to the analyzer must also be 1 Gb. It cannot be 10 Mb or 100 Mb, because the analyzer cannot receive the traffic from the Link side fast enough.
Figure 4: Bandwidth utilization that a buffer can absorb on a gigabit network