What is a Tap?
Test Access Ports or Taps are primarily used to optimize ITs ability to easily and passively monitor a network link. They are normally placed between any two network devices, including switches, routers, and firewalls to provide network and security personnel a connection for monitoring devices. Protocol analyzers, RMON probes and intrusion detection and prevention systems can now be easily connected to and removed from the network when needed. By using a Tap, you also eliminate the need to schedule downtime to run cabling directly to the monitoring device from network devices, thus saving time and eliminating possible cabling issues.
Any monitoring device connected to a Tap receives the same traffic as if it were in-line, including all errors. This is achieved as the Tap duplicates all traffic on the link and forwards this to the monitoring port/s. Taps do not introduce delay, or alter the content or structure of the data. They also fail open so that traffic continues to flow between network devices in the event a monitoring device is removed or power to the device is lost.
Taps VS Span Ports
In contrast, the use of Span ports to monitor the network requires an engineer to configure the switch or switches. Switches also introduce mechanisms on ingress ports to eliminate corrupt packets or packets that are below a minimum size. The problem with this is that the monitoring device normally captures data within the egress segment.
In addition, switches may drop layer 1 and select layer 2 errors depending on what has been deemed as high priority. On the other hand, a Tap passes all data on a link, capturing everything needed to properly troubleshoot common physical layer problems, including bad frames that can be caused by a faulty NIC.
Taps are designed to pass through full duplex traffic at line rate non-blocking speeds. In contrast, the software architecture of low-end switches may introduce delay while packets are copied to the Span ports. As well, data being aggregated from 10/100 Mb ports to a gigabit port may also introduce signal delay.
Furthermore, accessing full-duplex traffic may also be constrained by using a Span port. For example, to capture the traffic from a 100 Mb link, a Span port would need 200 Mb of capacity. This simple oversight can cause problems, so a gigabit link is often required as a dedicated Span port.
It is also a common practice for network engineers to span VLANs across gigabit ports. In addition to the need for additional ports that may be available in one switch, it is often difficult to “combine” or match packets to a particular originating link. So while spanning a VLAN can be a great way to get an overall feel for network issues, pinpointing the source of actual problems may be difficult.
Some switches may have a problem processing normal network traffic depending on loads. Add the fact that the switch will also need to make decisions on what traffic to copy to a Span port and you may introduce performance issues for all traffic. Taps provide permanent and passive, zero delay alternatives.
Lastly, the use of Taps optimizes both network and personnel resources. Monitoring devices can be easily deployed when and where needed, and engineers do not need to re-cable a network link to monitor traffic or re-configure switches. The example in figure 1 illustrates a typical Tap deployment for one monitoring device. In contrast, a Tap that includes two monitoring ports eliminates the need for both the network and security teams to share the one Span port that may have been configured to capture traffic for monitoring devices. A regeneration Tap can simultaneously capture data from one link for four monitoring devices and aggregation Taps can simultaneously capture from multiple links to one monitoring device.
Thanks to Net Optics for the article.