What is a Network TAP and Why do we care?
Updated: Apr 22, 2020
What is a Network TAP?
When you think of a TAP, what comes to mind? Perhaps you imagine it to be a water tap on a sink for getting water or maybe a Beer tap?
Well in our case, “TAP” is an acronym for “Traffic Access Point” or “Test Access Point” and is a hardware device inserted at a specific point in a network where data can be accessed for testing or troubleshooting purposes. They are mainly used to monitor the network traffic between two points in a network infrastructure.
A network TAP typically consists of four ports: a network port A and B and two monitoring ports A and B. The network ports collect traffic from the network. Network port A receives the Eastbound traffic and port B receives the Westbound traffic. The monitoring ports provide a copy of this traffic to an attached monitoring device. Monitor port A will copy the Eastbound traffic and monitor port B will copy the Westbound traffic.
Typically, a network TAP is placed between two points in the network. The network cable between points A and B is replaced with a pair of cables, which are then connected to the TAP. Traffic is passively routed through the TAP, without the network’s knowledge. This allows the TAP to make a copy of the traffic, which is sent out of the monitoring port to be used by another tool without changing the network traffic flow.
Why do I need a Network TAP?
There are many different methods for gaining access to your network. Some of the traditional methods used for gaining access to network traffic include using a SPAN/VACL port on your switch or connecting a monitoring device in-line on the network. There are challenges with both scenarios.
Using a SPAN port can often be the lowest cost solution, but using this method has many hazards. Often, when SPAN ports are over-subscribed, packets are dropped before data reaches the monitoring tool. There is also the risk of the losing some of the error packets that may be causing problems. If the data never reaches the monitoring tool because it is being dropped, it is impossible to effectively troubleshoot, no matter how advanced a tool you may be using “You can’t fix what you can’t see!”.
There are different problems when a tool is installed in-line. Especially when dealing with a critical network, it is essential that the network is available all the time because down time can be very costly. When a device is installed in-line, the network must be brought down every time updates are required or the tool needs to be re-booted. Similarly, if the monitoring tool fails, the network will go down as well.
These problems can be solved by using a TAP. When using a TAP, you will be guaranteed that every packet is being sent from the network to the monitoring tool. Because these devices are never over-subscribed, they always pass every packet including layer 1 and layer 2 errors.
Types of Network TAPs
There are several types of TAPs to choose from to achieve different functionality according to the structure and needs of your network.
Breakout TAPs are the simplest form of TAP. A Breakout TAP consists of four ports: two input ports and two output ports. The two input ports each collect traffic from the network; one collecting traffic traveling from point A to point B on the network, the other collecting traffic from point B to point A on the network. The Breakout TAP then sends a copy of this traffic out of the monitoring ports - the A to B traffic is passed out of monitor port C and the B to A traffic out to monitor port D.
Both monitoring ports are then connected to some form of monitoring device. This allows a copy of the traffic from a single network segment to be monitored and/or analyzed without disturbing the network.
Aggregating TAPs allow you to take the eastbound and westbound network traffic and aggregate it out to a single monitoring port. This will allow you to use just one monitoring port instead of two, to see your network traffic saving you ports on your monitoring appliances.
But if your troubleshooting requires that you see all of the traffic with Real Time correlation this may not be a good solution because the aggregating TAP interleaves or aggregates the 1G eastbound and 1G westbound traffic into a single 1G monitor port. This can cause the monitor port to be oversubscribed whenever the link gets too busy. Also, how the data is aggregated is not always correct, especially when there are bursts of data or long files, the timing can be significantly off.
For these and many other reasons the Breakout TAP is the best TAP to use for serious and accurate troubleshooting.
Or, an alternative would be to use a unique Aggregating TAP available from Profitap called the Profishark. The ProfiShark series provides flexibility without compromising performance, as it captures 100% of full-duplex 1G traffic passing through it.
ProfiShark comes in 1 G and 10G versions for deep capture and if added to Iota one can deep capture and visualization Remotely with total Security!
Combine the ProfiShark 1G with a Windows, Linux or macOS computer through its USB 3.0 port for a complete network analysis solution. The ProfiShark 1G captures packets of all sizes and types and offers a wide assortment of capture and configuration options, information, and statistics, through the ProfiShark Manager.
SPAN/Regeneration TAPs will permit you to take unidirectional traffic from one network segment and send it to multiple monitoring tools. This allows you to send a single traffic stream to a range of different monitoring tools, each serving a different purpose.
The SPAN port from Switches and Routers are also subject to losing some traffic because the switch or router will forgo servicing the SPAN ports whenever they get too busy.
Bypass (In-Line) TAPs
Bypass TAP (also known as Inline TAP) allow you to place an active network tool "Virtually Inline". These TAPs are used where monitoring devices need to be placed in-line on the network to be effective but putting these devices inline will compromise the integrity of a critical network.
By placing a ‘Bypass TAP’ in its place and connecting the monitoring tool to the ‘Bypass TAP’, you can guarantee that the network link will continue to flow, and the in-line device will not become a ‘point of failure’.
"When the monitor appliance goes off-line for any reason, the heartbeat packets are no longer returned to the TAP causing the TAP to bypass the monitor appliance and keep the critical link running."
Author - George Bouchard - George is a Technology Writer and Evangelist for ProfiTAP, a worldwide leader in providing unique and the highest quality visibility and access solutions for Network Visibility and Testing.
“It All Starts with Visibility!”
George has been in associated with many network analysis and testing companies in his many years in the networking industry, Network General makers of the original network “Sniffer”, Netcom (now Spirent), NetIQ (now part of Micro Focus) and ClearSight.
The technology industry has always amazed me because the technology of my youth was the Monroe Calculator and the IBM Electric Typewriter (before Selectric) I am always in awe on how far the industry has advanced in my lifetime.
**Note from the Editor - I have known George for many decades and not only is he a super friend but an awesome and very experienced technologist and that is why he is writing the "Know Your Network" series.