Choosing between a SPAN, Aggregator, or full-duplex TAP
Whether you use a SPAN/mirror port, aggregator TAP, or full-duplex TAP depends on the saturation level of the link (up to 200% of link speed when both sides are combined) you want to monitor and the level of visibility you require.
There are numerous ways to access full-duplex traffic on a network for analysis: SPAN/mirror ports, Aggregator TAPs, or full-duplex TAPs are the three most common.
Each approach has advantages and disadvantages. SPANs and Aggregator TAPs are designed to work with a standard (and usually less expensive) network card on the analysis device, but their limitations make them less than ideal for situations where it is necessary to guarantee the visibility of every packet on the wire.
A full-duplex TAP is the ideal solution for monitoring full-duplex networks utilized at more than 50 percent (100% when both sides are combined), but its design requires that the analyzer be a specialized device with a dual-receive capture interface that is capable of capturing the TAP’s output, providing accurate timing, and recombining the data for analysis.
Table 1 list the advantages and disadvantages of three common methods of accessing traffic from full-duplex networks for analysis, monitoring, or forensics:
Table 1. Methods of accessing traffic
Aggregator
SPAN/Mirror
Full-Duplex
Requires power
X
X
X1
Better2 protection against dropped packets
X
X
Uses single-receive capture card
X
X
Uses internal buffer to mitigate traffic spikes
X3
Suitable for networks with light to moderate traffic with occasional spikes
X
Passes OSI Layer 1 & 2 errors
X
X
Not Addressable (cannot be hacked)
X
X
Requires dual-receive capture card
X
Ideal for heavy traffic/critical networks
X
Suitable for networks with light to moderate traffic
X
Remotely configurable
X

1 The Optical TAP does not require power, but the Copper TAP does.

2 Better protection against dropping packets than SPAN/mirror.

3 Although the Aggregator TAP has an internal buffer that mitigates spikes in traffic, when the buffer itself is full, the new packets are dropped until the output of the buffer can catch up.

Whether you are monitoring a network for security threats or capturing and decoding packets while troubleshooting, you need a reliable way to see the network traffic. The appropriate TAP for capturing full-duplex data for analysis depends on the rates of traffic you must monitor, and what level of visibility you require.
Attaching a monitoring or analysis device to a switch’s analyzer port (SPAN/mirror port) to monitor a full-duplex link.
Because a SPAN/mirror port is a send-only simplex stream of data there is a potential bottleneck when trying to mirror both sides of a full-duplex link to the analyzer’s single receive channel. When to use a SPAN/mirror port.
Attaching a monitoring or analysis device to an Aggregator TAP inserted into a full-duplex link.
As with a SPAN, the Aggregator TAP copies both sides of a full-duplex link to the analyzer’s single receive channel. It uses buffering which makes it somewhat better able to keep up with higher traffic levels than a SPAN. For more details, see When to use the Aggregator TAP and Choosing the Aggregator TAP buffer size.
Attaching a dual-receive monitoring or analysis device to a full-duplex TAP inserted into a full-duplex link.
Dual-receive means that the network card on the analysis device has two receive channels rather than the transmit and receive channels associated with a standard full-duplex link. For more details, see When to use a full-duplex TAP.