There are several options available to us, including:
In order to best carry out traffic monitoring via the ports in our networks, we should consider the various options, and weigh their various pros and cons.
The traditional traffic capturing solution — and probably also the most common method used across the data information industry — is port mirroring.
Also known as SPAN (Switched Port Analyzer) or roving analysis, this is a method for catching and observing network traffic in a non-intrusive manner. It is a software feature built into a network switch or router that creates a copy of selected packets passing through the device and sends them to a designated mirrored (SPAN) port. Using software, we can easily configure or change what data is to be monitored.
Managed locally or remotely, we set up our mirrored ports to forward a copy of each incoming and/or outgoing packet from the ports of our SPAN switches to other ports where our analysis devices or monitoring stations are connected.
To configure the port mirroring, we select the relevant source ports (from which all packets will be copied) and the relevant destination ports (where the copies of the packets will be sent to).
We can include either all packets in the port mirroring or only the transmitted/received packets.
If both transmitted and received packets are included, a packet going from one monitored port to another monitored port will be copied twice to the destination port (due to the mirroring). This duplication could have an impact on the measurements and performance of the analysis devices (such as the retransmission rates and/or response times). Therefore, relevant built-in filtering and deduplication algorithms will handle the redundant data, cleaning it out and ensuring that no duplication is transferred.
Port mirroring is one of the most popular solutions for traffic monitoring, and offers the following advantages:
Mirrored ports can be used for non-time sensitive monitoring (for example, addresses inventory).
Such monitoring instances handle low bandwidth application layer events like:
These monitoring requirements do not consume a large amount of bandwidth or require packet grooming. Thus, dropped packets do not affect the quality of the reports and statistics. Their success relies on the fact that they stay within the parameters and capability of the mirrored port’s capacity. These specific applications are not dependent on every frame for their successful analysis or reporting.
In certain cases, an alternative solution for long-term monitoring may be a network tap (terminal access point). This is a hardware device which can passively capture traffic on a network, and is commonly used to monitor the network traffic between two points in the network. If the network between these two points consists of a physical cable, a network tap may be the best way to capture traffic. They are commonly used by monitoring and collection devices like APS. Taps can also be used in security applications because they are non-obtrusive, are not detectable on the network, can deal with full-duplex and non-shared networks. Passive taps will pass-through traffic even if the tap stops working or loses power.
For more information on Niagara Networks taps, see here.
Consider using mirrored ports for the following network scenarios:
When configured and managed appropriately, port mirroring is a valid and valuable tool and system asset.
Whereas port mirrors and taps both have their strengths and weaknesses, selecting the right solution will be based on your network design and requirements - and, of course, your budget.
Consider that port mirroring solutions do not consume a large amount of bandwidth and are relatively inexpensive (most switches have the feature already embedded in them). Tap devices, on the other hand can be inserted in the network at different points, to provide full exposure and visibility - and when they are passive taps on fiber cabling, they can continue working even during power loss.
Need help choosing the right Network Tap? Talk to our network visibility experts today.