Network Taps vs Span/Mirror ports

Network Taps vs Span/Mirror ports

How do you access network traffic today? Are you able to monitor traffic without adding points of failure or affecting network performance?

The first building-block to your visibility architecture is access to the data. That comes in one of two forms: a network tap, or a switch port analyser (SPAN) port (also known as port mirroring). But which is the right one?

A Network Tap captures network traffic in both directions and sends it to a monitoring device such as an Intrusion Detection System (IDS) or statistics traffic generator. Network taps optimize monitoring, security, and storage by enabling access to network traffic, reliably and unobtrusively.

Network Taps can be deployed passively at any inline connection on the network to provide 100% visibility for monitoring and security tools. A more effective solution than SPAN ports, Network Taps deliver all full-duplex network traffic—including Layer 1 and Layer 2 errors—to these devices as though the devices were deployed inline

How do you get instant access to full-duplex traffic for security analysis?

Are you able to scale your monitoring infrastructure to support multiple tools without increasing the complexity of your network architecture?

Are you concerned about SPAN port contention and switch degradation?

Switched port analyser or SPAN ports on network devices can also be used to monitor network traffic. However, the SPAN approach results in several costly disadvantages:

  • Monitoring and security devices do not receive traffic as though deployed inline
  • Layer 1 and 2 errors are not passed to monitoring tools
  • Solutions do not scale effectively
  • Copying packets and converting signals adds delay
  • Switch CPU and memory resources are consumed, impacting performance
  • Limited port capacity may cause packets to be dropped

In contrast, Network Taps pass traffic at wire-speed, are more reliable and immune to external attacks, and require little or no configuration to scale with network and technology needs.

A physical Ethernet tap provides complete traffic visibility and access to any network connection. A copper tap can be deployed onto any inline copper network link, delivering permanent monitoring access ports. The copper tap provides an out-of-band monitoring or security tool, with all traffic as if it were sitting inline. The taps send copies of traffic, including Layer 1 and Layer 2 errors, from each side of the full-duplex network link to its respective monitor ports. Network Taps provide network isolation, dropping any traffic that is accidentally or maliciously transmitted back onto the monitor ports. The copper taps are isolated from the network because they have no IP address, eliminating exposure to external attacks.

Ixia NetOptics Ethernet Tap Network

A SPAN port was a concept coined by Cisco used on Catalyst switches (Switched Port Analyzer) for mirroring packets to a port for monitoring purposes. It is software configurable, and you can set a single port to receive any packets sent or received on any “monitored” port. Generally the SPAN port has to be the same physical and logical characteristics of the monitored port. The SPAN port cannot be used for inbound traffic at all, effectively dedicating it for monitoring purposes. Different switches implement SPAN ports different ways — some only allow a single port to be monitored at a single time, some allow multiple ports to be funnelled into a single SPAN monitoring port, etc. But the term “SPAN port” has become synonymous with “port mirroring for monitoring purposes”.

Dedicated packet mirroring devices exist (such as Ixia, NetOptics, Netscout/VSS) whose entire mission in life is to make copies of IP packets. The flexibility they provide is far better than that of typical mirroring ports on a switch. They can generally groom traffic from one physical topology to another, merge and split streams, funnel many small streams to one large stream (e.g. 10 x 1G to 1 x 10G), even filter at L3/4. For flexible packet monitoring, these devices are always the way to go.
No matter what packet mirroring options you pick, you still need a device to capture or otherwise analyse the packets. Modern options include: IDS/IPS devices, DLP device, Security analytics devices, or simple packet capture devices.


Check out this YouTube video for an overview of how Network Taps can provide you with the visibility that your monitoring and security tools need to operate to their maximum effect:


Cloud Migration

The Challenge

The cloud promises compelling business advantages such as better cost–efficiency, faster response times, and easier access to resources. At the same time, migration represents some formidable unknowns:

How will application performance be impacted? Will operating in the cloud introduce new security risks? Were we better off before?

Throughout the process, companies need a reliable means of baselining, modeling, and comparing application performance, security, and the user experience delivered by cloud–based systems to those achieved in the physical world.

The Solution

Optimizing performance throughout cloud migration requires different tools and techniques at different stages:

Before you migrate…

The only way to know how migrating applications to the cloud will impact application performance is to take a look and measure quality before you do it. Ixia’s Hawkeye™ performance monitoring solution gives IT teams the ability to see how a service will act upon being moved from one environment to an other.

This is achieved by installing software–based agents within the prospective new cloud–based system and using them to measure the end–user quality of experience (QoE). Running realistic transactions across the system lets IT see what users will see to aid in fine–tuning configurations and eliminating blind spots—without impacting users or placing company assets at risk.

Using Hawkeye agents, IT can assess and compare performance in the existing physical and intended cloud environments from a desktop PC. First, they can run applications to internal servers where applications are currently hosted, then run the same application through their cloud provider’s network and measure the difference.

Maintaining performance in production clouds

Like the physical network, the cloud environment continues to change. The successful migration of an application or service needs to be followed up with ongoing visibility into performance and security.

Virtual visibility improves customers’ ability to do both by:

  • Equipping them to detect problems before they impact users
  • Helping them hold providers accountable
  • Maintain compliance

In physical networks, access to data used to monitor and troubleshoot performance is achieved using physical taps deployed on individual links. In the cloud, virtualized versions of taps capture and aggregate the same types of data from virtual machines (VMs) within hypervisors.

Ixia’s Phantom™ Virtualization Taps (vTaps) aggregate data from VMs and send it to the same Ixia network packet brokers (NPBs) used to intelligently distribute data to security and monitoring tools in the physical network. Tools then receive the exact mix of data from physical and virtual links that they need to make precisely the right decisions.

With vTaps in place, users don’t need to wait or rely upon service providers such as Microsoft and Amazon to supply the performance data needed to troubleshoot issues. Tenants can deploy vTaps on their own to eliminate blind spots, maintain audit trails, and preview the user experience with services such as Office 365 and Rackspace. While they don’t control the back end so to speak, users can maintain “agents” to prequalify and run through scenarios before they actually migrate applications and equip IT to keep a close eye on how services are performing at all times.

Ongoing visibility intelligence also delivers the data needed to verify that customers are actually receiving the level of service promised by cloud providers.

Case in Point: Healthcare Provider Saves Time and Money Analyzing Virtual Data

A large US health insurance provider to more than one million people uses server virtualization technology to optimize scale and efficiency. With its network 95% virtualized, the carrier required visibility to secure traffic between virtual machines, and to filter out patient data as required by the Health Insurance Portability and Accountability Act (HIPAA).

In upgrading its compliance processes, the company wished to evaluate performance analytics solutions from multiple leading vendors using serial testing of each tool during a 12–month period. To evaluate results, the company knew it needed visibility into its virtualized infrastructure. They looked at installing physical taps, but quickly realized the limitations of this approach.

“If we had tapped the physical links, we would have seen too much and not enough,” a Senior Network Engineer at the company explained. “Regulations and policies prohibit that.”

The company needed a way to copy only specific virtualized network traffic with minimal affect to the performance of the hosts and VMs. “We had achieved scale, and we didn’t want to re–evaluate our capacity assumptions of the entire data center just to copy virtual traffic,” said one Senior Network Engineer.

The company then tried a virtual tap solution and encountered a 30% performance loss. Finally, they found and deployed Ixia Phantom™ Virtualization Taps (vTaps) and network packet brokers (NPBs) to selectively filter and monitor only the traffic the company wanted to see. The solution maintained compliance by enabling analyze while securing virtualized data without impacting protected data.

With the Ixia visibility infrastructure in place, Ixia recommended a change to the original Proof of Concept (PoC) plan that allowed the provider to evaluate all of its prospective new performance monitoring solutions simultaneously. The Ixia NPB captured filtered packets from Phantom vTaps and replicated it to each of the tools under evaluation.

Performing a head–to–head test took approximately one month instead of the eleven originally estimated, which in turn led to savings of some $300K to select the right tool within just 30 days. And unlike the alternative solution, Phantom vTaps provided full visibility without impacting network performance. Virtually filtering traffic also helped to improve network utilization during the exporting of data for analysis.


To discuss how Iris Networks can help you with your cloud migration strategy, CONTACT US today!

OneTouch – New software Version v6.5.0

What’s new in v6.5.0 firmware

The v6.5 release will make the OneTouch the most complete troubleshooting tool for Enterprise network as well as the most versatile network validation tools with Autotest test for both Wired and Wi-Fi network.

  1. OneTouch 10G can perform NPT test based on ITU Y.1564 algorithm up to 10Gbps against another OneTouch 10G with ONE test stream.
  2. OneTouch 10G and G2 will support a Software NPT Reflector software for 10G NPT based on Y.1564, 1G wired NPT based on IETF RFC2544, and the Wi-Fi NPT.
  3. Allow user to define Autotest to Pass when Ping, TCP Connect, FTP or WEB failed.  This allows Autotest profile(s) to be created to validate SSID and/or VLAN configuration, such as those configured for Guest or non-IT related IoT devices, can successfully prevent access to critical IT resources.

Latest Cape Networks Updates!

Cape have released two new features that give you more visibility on two important processes that affect the user onboarding experience: DHCP and EAP:

  • DHCP DORA timing metrics – You are now able to peek into the the DHCP DORA (discover, offer, request, acknowledge) exchanges, whenever there is an issue, to view the breakdown of the transaction times and understand which part of the process is causing the delay or failure.
  • EAP timing visibility – In addition Cape are now providing Extensible Authentication Protocol (EAP) timing as a new metric that is tracked historically. Tracking EAP timing can help to identify issues with 802.1X (i.e. RADIUS authentication) performance.

And three new features that give you more control over the SSIDs you’re monitoring:

  • SSID aliasing – SSID aliasing enables more control over how SSIDs are tested.
  • Now you can:
    • Make SSID names more readable on the dashboard
    • Configure two or more different test profiles on the same SSID
    • Test SSIDs with the same name but different authentication methods or pass-phrases
    • Add multiple aliases where monitoring is locked to 2.4GHz or 5GHz and assign those aliases to different sensors
  • Band locking – SSIDs (and aliases) can now be tested on one band only. This means that sensors will only connect to the SSID and test it on the specified band. An SSID can be locked to 2.4 GHz only, 5 GHz only, or set to “Auto”. In Auto mode, which remains the default setting, the sensor will choose the best band to connect to similar to a regular client.
  • External Connectivity OverrideExternal connectivity testing can now be disabled on any specified SSID (or alias). Toggling this will disable testing, errors, and notifications related to external connectivity. This is helpful for networks where external connectivity to the internet is not supported or no DNS servers are configured. If no external connectivity is available via Wi-Fi or Ethernet, Cape sensors will upload test results via built-in cellular connectivity.


If you’d like to see these new features in action, ask us for a demo!

We’re Delighted To See That 2 Of Our Vendors Have Been Shortlisted For The Best New WiFi Startup Award @ WiFi NOW

For the second consecutive year Wi-Fi NOW will be honouring the the world’s most accomplished Wi-Fi companies. This year, the Wi-Fi NOW Awards ceremony will take place at Wi-Fi NOW Europe in The Hague, Netherlands on October 31 – November 2.

We’re delighted to see that 2 of our vendors Cape Networks and Mist have been announced to be 2 out of 3 of the finalists shortlisted for the Best New WiFi Startup award!

The winner will be announced at the Wi-Fi NOW Europe event later this month.

Aircheck G2 Mastercare (Gold) Support Owners: New Features With Firmware Update Now Available!

The NETSCOUT AirCheck G2 just got better with a new software release that adds several highly demanded features including the ability to simply perform iPerf performance tests.

Key New Features

  • Performance Testing: Quickly and easily test the throughput on your network by conducting iPerf tests from an AirCheck G2 to an iPerf server. Tests can be conducted with a customer’s iPerf server they install themselves or utilizing our new Test Accessory.
  • Captive Portal Support: Conduct all AirCheck tests on public facing networks that feature a captive portal websites that require a user to click through Terms and Conditions or type basic information into a form before access is given.
  • Authorization Classes: One of our popular AirCheck G1 features is now available on the AirCheck G2. Users can now mark APs as Authorized, Unauthorized, Neighboring, or Flagged.
  • Interferer Detection and Classification: Simply detect interferers such as Microwave ovens or wireless cameras using the wireless radio internal to the AirCheck G2.
  • Various Small Enhancements: There are several other minor enhancements that are detailed in the software release notes found on our website. They include: Channel overlap, supported vs. basic rates, and the ability to save packet captures.

Learn how these key new features (and more) are used in the real-world by watching this recorded webinar with customer George Stefanik, Wireless Architect. He walks through all the new features and how it helps save his team hours of testing time with the AirCheck G2 wireless tester and it’s new Test Accessory.



Cape Networks

[av_font_icon icon=’ue8d2′ font=’entypo-fontello’ style=” caption=” link=” linktarget=” size=’40px’ position=’left’ color=”][/av_font_icon]

 Partnership announcement: Cape Networks!

Iris Networks are excited to be bringing Cape Networks to the UK market. 

Continuously test your Wi-Fi and application performance from the perspective of an end user. Monitor and troubleshoot performance in your office or on the other side of the world without leaving your desk. Improve user experience and save on IT costs!

The Cape Sensor provides assurance by testing your Wi-Fi network, services, and apps 24/7.  The Cape Dashboard’s smart notifications alert you if something is wrong before users complain. Together they help you troubleshoot remotely, saving you time and effort.

Cape Networks Dashboard Iris Networks UK Reseller


This sleek sensor’s  powerful dual-core CPU runs a full Linux stack and an array of network tests. The sensor is always connected using at least one of three on-board network interfaces: Wi-Fi, Ethernet or Mobile. Remote software updates add features over time and ensure the sensor remains secure.

Cape Networks Dashboard Iris Networks UK Reseller


If you are interested in independently monitoring, testing and troubleshooting your WLAN, contact us to discuss your requirements!


Last Friday, Darktrace detected and automatically responded to the WannaCry ransomware for a number of partners and customers, including an NHS trust.

Darktrace uses machine learning and AI algorithms to automatically learn about our customers’ infrastructures, and then detect and respond to developing threats as they happen. The WannaCry malware activity was successfully identified due to the highly anomalous way in which the devices were behaving as they attempted to access and encrypt files, and laterally scan for other exposed devices.

On detecting the ransomware, Darktrace also responded in real time by forcibly dropping suspect connections within the internal network and stopping its spread. This entirely autonomous response, generated by Darktrace Antigena, gave security teams the vital time to catch up before the data was lost or encrypted.

The ease and speed with which Darktrace is deployed has enabled us to work with thousands of organisations around the world, and we are proud to have been able to help them defend against the largest ransomware attack in history this weekend.

If you are concerned about ransomware attacks or want to learn how to use Darktrace to automatically detect and respond to in-progress cyber-threats, you are advised to carry out a Proof of Value with Darktrace.


During a Proof of Value, a self-configuring appliance is installed within your network free of charge for a period of 30 days, allowing you to discover the benefits of Darktrace’s machine learning in your own infrastructure, without any technical set-up or financial overhead. To reserve an installation date, please contact us.


Press Release:

Break-through AI Technology Detects and Contains WannaCry Attack at NHS Agency Before Damage is Inflicted 

Cambridge, UK – May 15th, 2017 – Darktrace, the leader in Enterprise Immune System technology, has announced today that a number of its customers, including an NHS agency, successfully detected and contained a WannaCry ransomware attack on their networks on Friday with Darktrace’s break-through AI technology for cyber defense, which spotted the threat within minutes.

The WannaCry malware attack is unprecedented in scale and has affected over 200,000 devices across 150 countries according to Europol, including the UK’s National Health Service, Spain’s Telefonica and FedEx in the US. Spread by a pernicious email attachment and supercharged by a worm, the stealthy malware encrypts files, with cyber criminals demanding ransom before users can regain access to their data. Traditional security tools that use rules and signatures to stop cyber-threats at the border fell short in the face of this never-seen-before and fast-spreading malware.

Unlike the old attempts to keep malware at bay, the Enterprise Immune System is a pioneering, machine-learning technology capable of detecting and fighting back against stealthy ‘unknown unknowns’, such as WannaCry, automatically and in real time. Modeled after the most powerful biological system, the human immune system, the disruptive technology leverages advances in mathematics and machine learning, to learn the normal ‘pattern of life’ of every user and device on a network. Antigena, its automatic response technology, acts as a digital antibody, taking proportionate, remedial action to neutralize emerging threats. For example, it can slow down or stop a compromised connection or device, but does not impact normal business operations.

Darktrace’s AI technology alerted its affected customers as soon as the first signs of WannaCry emerged on their networks and as the malware was attempting to spread laterally across the respective organizations. The infection was successfully contained before it had inflicted any damage, proving the fundamental power of the Enterprise Immune System.

“At Darktrace we catch and contain ransomware every week,” commented Nicole Eagan, CEO at Darktrace. “WannaCry bypassed traditional security defenses proving them futile in this new era of cyber warfare. Security teams cannot face this challenge without the right tools in place. Darktrace’s Enterprise Immune System is a true manifestation of AI in action: detecting and stopping threats before the human teams have even had time to notice.”

Ixia Recognised on CRN’s 2017 Security 100 List

Ixia, a leading provider of network testing, visibility, and security solutions, announced today that CRN®, a brand of The Channel Company, has named Ixia to its annual Security 100 list. This project recognizes the coolest security vendors in each of five categories: Endpoint Security; Identity Management and Data Protection; Network Security; SIEM and Security Analytics; and Web, Email and Application Security.

This Smart News Release features multimedia. View the full release here:

(Graphic: Business Wire)

(Graphic: Business Wire)

The companies on CRN’s Security 100 list have demonstrated creativity and innovation in product development, as well as a strong commitment to delivering those offerings through a vibrant channel of solution providers. In addition to recognizing security technology vendors for outstanding products and services, the Security 100 list serves as a valuable guide for solution providers trying to navigate the IT security market. The list aids prospective channel partners in identifying the vendors that can best help them improve or expand their security offerings.

Working with Ixia positions partners to grow their security sales and practices while delivering better outcomes to customers. Ixia’s solution portfolio features network visibility solutions that play an increasingly critical role in optimizing enterprise security infrastructures. Visibility offerings include:

Ixia’s security portfolio also includes BreakingPoint® Virtual Edition, a cost-effective, virtualized test solution that enables enterprises to maximize security investments and performance, and ThreatARMOR® a threat intelligence gateway that blocks connections from known malicious IP addresses and untrusted countries.

“In an age of cyberattacks and heightened concerns about cybercrime against businesses of all sizes, protecting data has become a top priority, and security solutions are in higher demand than ever,” said Robert Faletra, CEO of The Channel Company. “CRN’s annual Security 100 list honors the expert technology suppliers at the forefront of this thriving field, and supports solution providers in their search for the right vendor partners to help them leverage the rich business opportunities it offers.”

The Security 100 list will be featured in the April 2017 issue of CRN and online at

Botnet: Is Your Company’s Network Next?

[av_button label=’Download The Infographic!’ link=’manually,’ link_target=’_blank’ size=’medium’ position=’center’ icon_select=’yes’ icon=’ue82d’ font=’entypo-fontello’ color=’theme-color’ custom_bg=’#444444′ custom_font=’#ffffff’]

BotNets are networks of computers, operated by hackers and cyber criminals and capable of being used to conduct malicious activities. The chilling fact is that a botnet is made up of regular, often unknowing computers, just like yours. A computer joins the botnet when it is infected by a virus, or other type of malware, which opens a secret communication channel between the local computer and the “Botmaster”, the criminal mastermind operating the network.

Across this secret communication channel, cyber criminals can steal private information from the local computer, and also direct its resources to conduct malicious activities: hitting other websites with traffic to bring them down (a DDoS attack), sending spam emails that may contain scams or malware, performing fake clicks on advertisements to generate fraudulent advertising revenue, and more.

This happens every day on corporate networks. A local computer is infected, behind the firewall, and that computer joins a botnet. For a local user, it may appear that the computer is working slowly or behaving strangely – or there may be no symptoms at all. It can take days, weeks or months until the breach is discovered. Until then, that local computer is in the hands of a criminal.

So how do you know if your network is vulnerable? Ixia is a leader in network security testing, helping thousands of organizations identify security threats, including botnets. Ixia have compiled an infographic illustrating the inner workings of botnet infections on a corporate network.

Knowing what to look for is the critical first step in implementing protections on your network.

Download the Full Version of this Infographic!



Do NOT follow this link or you will be banned from the site!