Deciding whether to use a TAP or a SPAN/mirror port
SPANs are great for proof of concepts and lightly used links. TAPs ensure you get all of the traffic, including on high speed links, and physical layer errors.
A TAP is a passive splitting mechanism installed between a device of interest and the network. A TAP copies the incoming network traffic and splits it. It passes the network traffic to the network and sends a copy of that traffic (both send and receive) to a monitoring device in real time.
A SPAN/mirror port on a switch that copies traffic on a port or group of ports and sends the copied data to an analyzer. By its very nature it is half-duplex, which means that it cannot send all of the send and receive traffic it sees if traffic exceeds 50% of the bandwidth. Moreover, switch manufacturers design their products so that the SPAN/mirror port has a lower priority in the switch operating system. Therefore, one of the first things to stop working when the switch gets busy is the SPAN/mirror port traffic flow. A SPAN/mirror port is fine for connections to stations at the edge of your network, but may be unable to keep up with the higher traffic volumes on your full duplex links at the core of your network. It is convenient for a proof of concept, but cannot pass physical layer errors (poorly formed packets, runts, CRCs) to the analyzer and give you all of the visibility you need for Gigabit, 10 Gigabit or 40 Gigabit networks, but a TAP will.
Most enterprise switches copy the activity of one or more ports through a Switch Port Analyzer (SPAN) port, also known as a mirror port. An analysis device can then be attached to the SPAN port to access network traffic.
There are four common ways to get full duplex data to a probe or analyzer:
Connect the probe to a SPAN/mirror port. A SPAN/mirror port can provide a copy of all designated traffic on the switch in real time, assuming bandwidth utilization is below 50% of full capacity.
Deploy an Aggregator TAP on critical full duplex links.
Deploy a full duplex TAP on critical links to capture traffic. For some types of traffic, such as full duplex gigabit links, TAPs are the only way to guarantee complete analysis, especially when traffic levels are high.
Traffic aggregators, like the Observer Matrix, allow you to copy and filter full duplex traffic. Because full-duplex Ethernet links lies at the core of most corporate networks, ensuring completely transparent analyzer access to those links is critical.
Figure 1: TAP versus SPAN
Table 2. TAP versus SPAN
SPAN/mirror port
Greatly reduces the risk of dropped packets
Low cost
Monitoring device receives all packets, including physical errors
Remotely configurable from any system connected to the switch
Provides full visibility into full-duplex networks
Able to copy intra-switch traffic
Analysis device may need dual-receive capture interface if you are using a full-duplex TAP (does not apply to the Aggregator TAP family)
Cannot handle heavily utilized full-duplex links without dropping packets
Additional cost with purchase of TAP hardware
Filters out physical layer errors, hampering some types of analysis
Cannot monitor intra-switch traffic
Burden placed on a switch’s CPU to copy all data passing through ports
Switch puts lower priority on SPAN port data than regular port-to-port data
Can change the timing of frame interaction altering response times
Bottom line
A TAP is ideal when analysis requires seeing all the traffic, including physical-layer errors. A TAP is required if network utilization is moderate to heavy. The Aggregator TAP can be used as an effective compromise between a TAP and SPAN port, delivering some of the advantages of a TAP and none of the disadvantages of a SPAN port.
A SPAN port performs well on low-utilized networks or when analysis is not affected by dropped packets.