Infrastructure TAP's and the Need for a Comprehensive Network Visibility System!
Updated: May 26, 2022
In order to achieve a 100% guaranteed view of all network traffic and fulfil today’s access and visibility requirements, the network infrastructure must incorporate network TAPs (Test Access Points). Network Visibility solutions are only as good as the data that they receive; Network TAPs represent the foundation of an effective and reliable visibility infrastructure.
The question that follows is, naturally, what exactly is a Network TAP and what does it offer that makes it a more effective data source than alternatives such as Port Mirroring and SPAN (Cisco’s Switched Port Analyzer)?
Tim O’Neill, the technology consultant and Chief Contributing Editor of lovemytool.com has published an in-depth article comparing and contrasting the differences between a SPAN port and a Network TAP; the article can be found here: The Original published article was written in 2007 on WWW.LoveMyTool.com the first Tap paper was written in 1995 as a Network General Paper on Tapping into an Ethernet Network. In this article, Tim provides compelling reasons to use Network TAPs for meeting today’s network visibility requirements. I will briefly point out below some of the key advantages a Network TAP has over a Port Mirroring or SPAN technology (I will use the term SPAN to generically describe these technologies for the rest of the paper) without reiterating everything the article states, and I highly encourage you to read it. ( Note** The First Ethernet Tap was built by Datacom Systems in 1991 for Network General's (now Netscout) Sniffer, The first non intrusive Tap for WAN RS-232, V.35, RS-449 for data monitoring was built by Spectron in the 1970's)
What is a Network TAP?
If you cannot see your Network data, than how will you know if you have a problem or breach?
A Network Test Access Point is a relatively simple OSI Layer 1 device (simplicity equals reliability in this case) that connects directly inline with the cabling infrastructure and creates a copy of the traffic for monitoring purposes. They can be standalone devices or can be integrated into a visibility node. The copied traffic has no impact or interaction with the live network, and it is not possible to send traffic from a TAP’s monitoring ports back into the live network stream. In fact, TAPs, except for Aggregation TAPs, are unmanaged devices and do not represent a risk of compromise as they cannot be enumerated in a network scan or remotely accessed (This speaks primarily to Cubro’s TAP lineup).
With respect to fault tolerance, fiberoptic TAPs are completely passive devices requiring no power and completely fail-safe in operation. 10/100 copper TAPs require power only for the monitor ports while the live link remains passive and fail-safe. 10/100/1000 copper TAPs require some additional PHY level intelligence and, historically, relied on relays to fail open in the case of a power failure which could interrupt the link and require an auto-negotiation process between the two endpoints. Cubro has pioneered a new 10/100/1000 TAP architecture that reduces this problem nd further enhances the reliability of 1 Gbps copper TAPs.
The way these devices operate is fundamentally different from a SPAN port because the Network TAP performs only a singular function and requires no processing capabilities to forward the copied traffic for monitoring. A SPAN is an ancillary function to the primary purpose of the switch. Performing that function requires additional processing resources and, by design, a switch will interrupt the traffic forwarding of the SPAN to protect its primary function of packet switching.
The TAP does not alter the traffic in any way or introduce any latency, furthermore, the copy is an exact duplicate of what is being carried on the link. In contrast to the way a SPAN works, the TAP does not require any configuration for traffic to be copied. Whereas a SPAN will drop errored or malformed frames a TAP will not. Additionally, a SPAN will alter the timing of the forwarded traffic such that it no longer reflects the reality of the network; a TAP is a precise reflection of what is on the wire.
A final consideration I will point out, and a very important one at that is the potential for oversubscription. In the case of full duplex links, the overall bandwidth of the link is actually twice the rated speed of the link i.e. a 1 Gbps link is comprised of up to 1 Gbps on the transmit (TX) side and up to 1 Gbps on the receive (RX) side and thus contains, potentially, 2 Gbps of traffic. If you send the traffic from a 1G full duplex link to a SPAN, then you are potentially directing up to 2 Gbps of data to be sent out on a port that can only handle 1 Gbps; that means a lot of lost packets. On a TAP there will be a separate monitor port for TX traffic and RX traffic. In the case of a copper TAP that means the ports you are transmitting the copied traffic from, and likewise to, are capable of the same throughput as the live link. If a situation were to oversubscribe the links on a copper TAP, it would have already oversubscribed the live link, and the point becomes moot. An optical TAP cannot be oversubscribed in any case.
All these considerations taken together mean that a monitoring system that relies on SPAN ports for data feeds cannot be counted as 100% reliable; in the best-case scenario it doesn’t completely reflect the network traffic accurately and in the worst-case scenario it can be missing vital information that is key to detecting a network issue.
Advantages of a Network TAP
In summary; here are some advantages of a Network TAP over port mirroring or SPAN:
Exact duplicate of network traffic
No added latency or altered timing
Passes network errors in addition to good frames/packets
Oversubscription not an issue