Network Taps vs Span/Mirror ports

Network Taps vs Span/Mirror ports

How do you access network traffic today? Are you able to monitor traffic without adding points of failure or affecting network performance?

The first building-block to your visibility architecture is access to the data. That comes in one of two forms: a network tap, or a switch port analyser (SPAN) port (also known as port mirroring). But which is the right one?

A Network Tap captures network traffic in both directions and sends it to a monitoring device such as an Intrusion Detection System (IDS) or statistics traffic generator. Network taps optimize monitoring, security, and storage by enabling access to network traffic, reliably and unobtrusively.

Network Taps can be deployed passively at any inline connection on the network to provide 100% visibility for monitoring and security tools. A more effective solution than SPAN ports, Network Taps deliver all full-duplex network traffic—including Layer 1 and Layer 2 errors—to these devices as though the devices were deployed inline

How do you get instant access to full-duplex traffic for security analysis?

Are you able to scale your monitoring infrastructure to support multiple tools without increasing the complexity of your network architecture?

Are you concerned about SPAN port contention and switch degradation?

Switched port analyser or SPAN ports on network devices can also be used to monitor network traffic. However, the SPAN approach results in several costly disadvantages:

  • Monitoring and security devices do not receive traffic as though deployed inline
  • Layer 1 and 2 errors are not passed to monitoring tools
  • Solutions do not scale effectively
  • Copying packets and converting signals adds delay
  • Switch CPU and memory resources are consumed, impacting performance
  • Limited port capacity may cause packets to be dropped

In contrast, Network Taps pass traffic at wire-speed, are more reliable and immune to external attacks, and require little or no configuration to scale with network and technology needs.

A physical Ethernet tap provides complete traffic visibility and access to any network connection. A copper tap can be deployed onto any inline copper network link, delivering permanent monitoring access ports. The copper tap provides an out-of-band monitoring or security tool, with all traffic as if it were sitting inline. The taps send copies of traffic, including Layer 1 and Layer 2 errors, from each side of the full-duplex network link to its respective monitor ports. Network Taps provide network isolation, dropping any traffic that is accidentally or maliciously transmitted back onto the monitor ports. The copper taps are isolated from the network because they have no IP address, eliminating exposure to external attacks.

Ixia NetOptics Ethernet Tap Network

A SPAN port was a concept coined by Cisco used on Catalyst switches (Switched Port Analyzer) for mirroring packets to a port for monitoring purposes. It is software configurable, and you can set a single port to receive any packets sent or received on any “monitored” port. Generally the SPAN port has to be the same physical and logical characteristics of the monitored port. The SPAN port cannot be used for inbound traffic at all, effectively dedicating it for monitoring purposes. Different switches implement SPAN ports different ways — some only allow a single port to be monitored at a single time, some allow multiple ports to be funnelled into a single SPAN monitoring port, etc. But the term “SPAN port” has become synonymous with “port mirroring for monitoring purposes”.

Dedicated packet mirroring devices exist (such as Ixia, NetOptics, Netscout/VSS) whose entire mission in life is to make copies of IP packets. The flexibility they provide is far better than that of typical mirroring ports on a switch. They can generally groom traffic from one physical topology to another, merge and split streams, funnel many small streams to one large stream (e.g. 10 x 1G to 1 x 10G), even filter at L3/4. For flexible packet monitoring, these devices are always the way to go.
No matter what packet mirroring options you pick, you still need a device to capture or otherwise analyse the packets. Modern options include: IDS/IPS devices, DLP device, Security analytics devices, or simple packet capture devices.


Check out this YouTube video for an overview of how Network Taps can provide you with the visibility that your monitoring and security tools need to operate to their maximum effect:


Cloud Migration

The Challenge

The cloud promises compelling business advantages such as better cost–efficiency, faster response times, and easier access to resources. At the same time, migration represents some formidable unknowns:

How will application performance be impacted? Will operating in the cloud introduce new security risks? Were we better off before?

Throughout the process, companies need a reliable means of baselining, modeling, and comparing application performance, security, and the user experience delivered by cloud–based systems to those achieved in the physical world.

The Solution

Optimizing performance throughout cloud migration requires different tools and techniques at different stages:

Before you migrate…

The only way to know how migrating applications to the cloud will impact application performance is to take a look and measure quality before you do it. Ixia’s Hawkeye™ performance monitoring solution gives IT teams the ability to see how a service will act upon being moved from one environment to an other.

This is achieved by installing software–based agents within the prospective new cloud–based system and using them to measure the end–user quality of experience (QoE). Running realistic transactions across the system lets IT see what users will see to aid in fine–tuning configurations and eliminating blind spots—without impacting users or placing company assets at risk.

Using Hawkeye agents, IT can assess and compare performance in the existing physical and intended cloud environments from a desktop PC. First, they can run applications to internal servers where applications are currently hosted, then run the same application through their cloud provider’s network and measure the difference.

Maintaining performance in production clouds

Like the physical network, the cloud environment continues to change. The successful migration of an application or service needs to be followed up with ongoing visibility into performance and security.

Virtual visibility improves customers’ ability to do both by:

  • Equipping them to detect problems before they impact users
  • Helping them hold providers accountable
  • Maintain compliance

In physical networks, access to data used to monitor and troubleshoot performance is achieved using physical taps deployed on individual links. In the cloud, virtualized versions of taps capture and aggregate the same types of data from virtual machines (VMs) within hypervisors.

Ixia’s Phantom™ Virtualization Taps (vTaps) aggregate data from VMs and send it to the same Ixia network packet brokers (NPBs) used to intelligently distribute data to security and monitoring tools in the physical network. Tools then receive the exact mix of data from physical and virtual links that they need to make precisely the right decisions.

With vTaps in place, users don’t need to wait or rely upon service providers such as Microsoft and Amazon to supply the performance data needed to troubleshoot issues. Tenants can deploy vTaps on their own to eliminate blind spots, maintain audit trails, and preview the user experience with services such as Office 365 and Rackspace. While they don’t control the back end so to speak, users can maintain “agents” to prequalify and run through scenarios before they actually migrate applications and equip IT to keep a close eye on how services are performing at all times.

Ongoing visibility intelligence also delivers the data needed to verify that customers are actually receiving the level of service promised by cloud providers.

Case in Point: Healthcare Provider Saves Time and Money Analyzing Virtual Data

A large US health insurance provider to more than one million people uses server virtualization technology to optimize scale and efficiency. With its network 95% virtualized, the carrier required visibility to secure traffic between virtual machines, and to filter out patient data as required by the Health Insurance Portability and Accountability Act (HIPAA).

In upgrading its compliance processes, the company wished to evaluate performance analytics solutions from multiple leading vendors using serial testing of each tool during a 12–month period. To evaluate results, the company knew it needed visibility into its virtualized infrastructure. They looked at installing physical taps, but quickly realized the limitations of this approach.

“If we had tapped the physical links, we would have seen too much and not enough,” a Senior Network Engineer at the company explained. “Regulations and policies prohibit that.”

The company needed a way to copy only specific virtualized network traffic with minimal affect to the performance of the hosts and VMs. “We had achieved scale, and we didn’t want to re–evaluate our capacity assumptions of the entire data center just to copy virtual traffic,” said one Senior Network Engineer.

The company then tried a virtual tap solution and encountered a 30% performance loss. Finally, they found and deployed Ixia Phantom™ Virtualization Taps (vTaps) and network packet brokers (NPBs) to selectively filter and monitor only the traffic the company wanted to see. The solution maintained compliance by enabling analyze while securing virtualized data without impacting protected data.

With the Ixia visibility infrastructure in place, Ixia recommended a change to the original Proof of Concept (PoC) plan that allowed the provider to evaluate all of its prospective new performance monitoring solutions simultaneously. The Ixia NPB captured filtered packets from Phantom vTaps and replicated it to each of the tools under evaluation.

Performing a head–to–head test took approximately one month instead of the eleven originally estimated, which in turn led to savings of some $300K to select the right tool within just 30 days. And unlike the alternative solution, Phantom vTaps provided full visibility without impacting network performance. Virtually filtering traffic also helped to improve network utilization during the exporting of data for analysis.


To discuss how Iris Networks can help you with your cloud migration strategy, CONTACT US today!

Do NOT follow this link or you will be banned from the site!