While deploying network monitoring tools, IT managers are often faced with questions, such as: "Can we do this and still ensure that we aren't impacting the production network?" or "Can I make sure that I can see 100% of network traffic?" or "What is the best way to get data into my monitoring and test tools?" 

The good news is that THERE IS a low-cost (and very impactful) technology that helps IT managers:

  • Address these tough questions
  • Reduce operational risk
  • Ensure they are getting the most out of their network monitoring tool investments

This technology is network TAPs, and they are the best way to get data from your network into any monitoring tool. 

What is the Difference Between SPAN Port vs TAPs?

For an in-depth read, download our free TAPs vs. SPAN Whitepaper here

Before we dive too deep into network TAPs, let's take a step back and look at the most popular alternative for getting data into monitoring tools: a SPAN port, also known as a mirror port. SPAN ports are often included in network equipment and are used to send data to a monitoring tool for analysis. However, there are a few facts to consider while using this approach (spoiler alert, they are not good facts):

  • Using SPAN ports take up compute cycles on the machine it is drawing information from, leading to performance impacts on the production network
  • SPAN ports drop packets when they are oversubscribed
  • Data from a SPAN port is unpredictable, completely reliant on the available resources

So, why do SPAN ports fall short in so many ways when it comes to network monitoring? Well, it's because they were a bit of an afterthought and were never designed for large-scale network monitoring and analytics. Think that is too bold of a statement? Hang tight, we're getting there.

A brief history of SPAN ports

SPAN/mirror ports were originally created by Cisco to send some data for testing and troubleshooting. SPAN port technology was never intended for large-scale network analytics, and Cisco will be the first to admit this. Here are a few bullets from Cisco's own whitepaper, "Using the SPAN port for SAN analysis"

  • "Cisco warns that the switch treats SPAN data with a lower priority than regular port-to-port data. In other words, if any resource under load must choose between passing normal traffic and SPAN data, the SPAN loses and the mirrored frames are arbitrarily discarded."
  • "Knowing that the SPAN port arbitrarily drops traffic under specific load conditions, what strategy should users adopt so as not to miss frames? According to Cisco, the best strategy is to make decisions based on the traffic levels of the configuration and, when in doubt, to use the SPAn port only for relatively low-throughput situations."
  • "Users should also be aware that the port cannot be flow-controlled by the destination (analysis) device, because the flow-controlling Span mirrored output would, as a consequence, push back the flow-controlling action to the actual network traffic. This design choice is a consequence of the decision by Cisco not to affect the original network traffic while it is mirrored. Therefore, mirrored data issued from the SPAn port must be captured as quickly as it is produced, or the mirrored data may be lost. This characteristic becomes important if the analyzer connected to the SPAN port requires flow-control. Flow-control related loss is unpredictable and leads to poor analysis results." 

So, what is a network TAP? 

At the highest level, a network TAP is a device that makes a copy of network traffic and then sends that copy to a tool for monitoring or analysis. You simply stick a network TAP between any two connected pieces of network infrastructure, and you will immediately have a full-fidelity copy of the traffic that is flowing between those two devices to send a monitoring/analytic tool or security device. By using a network TAP, you eliminate the need to "borrow" resources from your existing network equipment; a TAP does not impact your existing infrastructure in any way. 

OK, so we got there now: SPAN ports are bad and network TAPs are good. Simply put, there is a lot to be gained from implementing a TAP fabric when you take on a network monitoring requirement. As mentioned previously, TAPs provide 100% visibility into network traffic, and they do not affect the production network in any way, shape, or form; two very key benefits while implementing a network monitoring solution. However, these are just two examples of the many benefits to using network TAPs...

Find out more about network TAPs by downloading our free 

TAPs vs. SPAN Whitepaper 

Topics: network engineering, test/lab automation, network preformance, cyber security, IT operations


Written by MantisNet