In the market for network analyzer or Intrusion Detection System (IDS) Test Access Points (TAPs)?
Back in the fall of last year I posted a couple of blogs (see “Is Spanning Bad" and “Is RSPAN Bad" ) on using the port mirror (or SPAN) feature, available for “free” in many of today’s switches and routers to capture packets. As noted in these blogs, there are certain performance concerns depending on the switch architecture, number of ports, volume of traffic being monitored, and so on. The tradeoff is flexibility: having the switch aggregate a full duplex stream, being able to choose one or more inbound/outbound ports to monitor, including a group of ports assigned to a VLAN, and traffic filtering.
On the other hand, I do like TAP technology for use in a number of applications such as when you need accurate packet timestamps (not delayed by switch forwarding to the mirror port) and need to see if there are packets with physical errors on the link, hopefully not induced by your TAP! (The later statement is actually not so amusing. I know of at least one case where inserting an active TAP actually fixed the customer’s link problem, sort of the opposite of what you’d expect.)
In today’s multi-tool environments, there are also instances where you may wish to use both SPANing and TAPing. One example would be having both an analyzer and IDS monitoring the same segment, ports, or VLAN coming off a switch. With most switches having only one monitor port, this requires a specialized TAP that allows more than one device to monitor the same port.
Some TAPs are only available as first generation “dumb” in-line tapping technology – one port, one analyzer with one or more such isolated combinations in a box. Further, if you need to monitor a different port, you need to physically go to the tap and manually move the analyzer’s connection from one port to another. Such taps make more sense for IDS tools that are permanently monitoring a firewall link, for instance.
Having a port replicated to more than one monitoring device simultaneously (some even allow a 1:8 ratio) is just the tip of the iceberg of the new generation TAPs. Also supported is the reverse of port replication
Consider the reverse -- port aggregation -- which has many applications. For starters, you many wish to monitor a full duplex gigabit (or 100 Mbps) fiber or copper connection with a single analyzer port. Having a tap perform the aggregation of the RX/TX streams to a single RX stream frees up ports on your analyzer, reducing the hardware cost and allowing for more simultaneous captures. Or perhaps you only have your portable laptop-based analyzer handy with a single 10/100/1000 Mbps Ethernet port.
Such aggregating taps also contain an on-board packet buffer for those momentarily traffic bursts where the sum of the receive and transmit sides of a connection exceeds fifty percent. The majority of gigabit connections typically average in the 5 to 10 percent utilization range. For core connections that exceed 50% for extended periods of time, dedicated FDX gigabit hardware is recommended, such as the high performance SL1 and XL1 two- and four-port multi-media gigabit NICs supported by the WildPackets Omni DNX engine.
Another nifty use for aggregation TAPs is for monitoring trunking or link aggregation, a common practice for switch-to-switch (or switch to server) connections using multiple 100 Mbps or gigabit connections. For this, we require more like 4:1 or higher aggregation, and again, adequate buffering to handle those bursts. Such a monitoring solution can eliminate expensive and dedicated trunking hardware in the analyzer.
Now imagine adding matrix switching which gives you the freedom to remotely select from a number of tapping sources. Alternatively, if we need to select from a modest number of TAP sources to look at, we could also populate our probes with high-density 10/100/1000 Mbps Ethernet hardware. The Intel 4-port PCI-X server NIC is pretty slick, which we offer in our WildPackets Omnipliance. This setup also allows for simultaneously monitoring of more than one source vs. the single port selection of a matrix switch. Often, a combination of the two is desireable.
There are also products that combine in-line TAPing and switching in a single box. Some even allow automatic port scanning or roving for data sampling. Run out of ports? Merely daisy chain multiple matrix switches together.
Did I mention that many of these in-line, port regeneration, and port aggregation taps allow you to change media types (such as SX/TX or LX/SX) from the source media to the analyzer? If your gig connections are fiber, why not take advantage of the low-cost copper NICs in your analysis tool?
In summary, we have four major areas of tapping technology: the traditional “dumb” network TAP, regeneration TAPs, matrix switches as “front-ends” for SPAN ports and TAPs, and multi-stream aggregation TAPs. There are several sources of such taps, including NetOptics, Datacom Systems, and the upstart Gigamon whom focuses strictly on gigabit “one-to-many” and “many-to-one” tapping and monitoring. VSS Monitoring offers switch control via SNMP control, although this sets the stage for another debate: “hardened” management control via “out-of-band” RS-232 ports connected only to the remote monitoring tool vs. “in-band” SNMP accessibility.
These new generation of smart TAPs are definitely not your old song and dance.