Is the SPAN port a scalable technology – No! Why?
Throughout the ages of Ethernet, SysAdmins have made frequent use of SPAN ports configured permanently, or on-demand, on switches and routers in the troubleshooting path. SPANs virtually guarantee that every packet passing through a switch port is mirrored to another port, which easily replicates every frame and delivers a complete copy for offline analysis. But how scalable is this approach for new and future speeds in the Gigabit family?
Since the introduction of 10 Gigabit Ethernet over 20 years ago, the outlook has gradually but drastically changed:
More security and monitoring tools need now access to the same traffic 24/7 - but the switch has limitations on the number of ports that can be defined as span destinations
More switch ports now need to be monitored - but the switch has limitations on the number of ports that can be defined as span sources
The switch gives a low priority to span ports - so packets will not make it through the span port at the busiest times
Some tools want access to specific traffic - but the switch cannot apply any packet filtering to the span port
Some tools want access to different traffic at different times - but the switch cannot be easily reconfigured to accommodate these changes
All of which means SPAN ports simply cannot be relied upon for security monitoring and compliance applications in service provider and enterprise data centers, or anywhere else.
Now, as environments transition to 25, 50, and 100 Gigabit Ethernet, it is even more challenging, if not impossible, for core switches to mirror all required Full Duplex traffic at a full-time rate, in real-time, which effectively prohibits the use of SPAN for security purposes.
“The switch treats SPAN data with a lower priority than regular port-to-port traffic”, according to Cisco's White Paper on SPAN Port Usability. “In other words, if any resource under load must choose between passing normal traffic and SPAN data, the SPAN loses and the mirrored frames are arbitrarily discarded.” Now that users are aware that the SPAN port randomly drops traffic under specific load conditions, what measures should companies apply to prevent packets from dropping and losing visibility? The optimum approach, according to Cisco, is to “make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations”.
Another scalability issue for SPAN ports is the restriction on monitoring tools in terms of both type and number. Two SPAN ports can frequently be configured on even strong switches. While the majority of networks could consider this sufficient, it is likely to experience a situation where there are no SPAN ports available. On the contrary, the number of security monitoring tools continues to increase. Each of these tools is typically used by multiple teams involved in network operations or security, with changes engineered at different frequencies and visibility into multiple but related network segments.
Unlike the SPAN, TAPs (Test Access Point) can guarantee the copy of all the packets to be submitted to the appliance without the possibility of oversubscription or packet loss. Network Critical's SmartNA Network TAP range is unique to the market as each TAP has been built by us from the ground-up supporting 1G/ 10G/ 40G/ 100G and 400G. This allows for a more tailored device that suits your needs, which makes for an ideal TAP for any purpose use, be it monitoring, security, or performance. The SmartNA TAPs are also able to aggregate, filter, slice, mask, strip, and more to help you get the information you need to perform your best. This cutting-edge technology is scalable to over 200 ports of 10/25/40 and 50G. Saving rack space and all speeds protect your network against obsolescence.