Background
I’m sure you’re already aware of the battle between the Network Tap and the switch port analyzer (SPAN port) for network monitoring purposes. Both of these serve the function of mirroring traffic on your network and sending it to out-of-band security tools such as intrusion detection systems, network recorders, or network analyzers.A SPAN port is configured via a network enterprise switch with port mirroring capabilities. It is a dedicated port on a managed switch that takes a mirrored copy of network traffic off the switch to be sent to a security tool. On the other hand, a TAP is a device that passively splits network traffic flowing from the network to the security tool. TAPs receive network traffic in real time and on separate channels, in both directions.
Here are the five main advantages of a TAP over a SPAN port:
1. TAPs capture EVERY SINGLE PACKET!
A SPAN port deletes corrupt packets and packets below minimum size. Therefore, security tools don’t receive all the traffic since the SPAN port gives higher priority to network traffic. Additionally, RX and TX traffic is aggregated on a single port, thus more possibility of dropping packets. TAPs capture all bi-directional traffic delivered on every single destination port, including port errors.
2. Completely passive solution, no IP configuration or power required
A passive TAP is used mainly in fiber-optic networks, where it receives traffic from both directions of the network and will split the incoming light so that 100% of traffic is seen on the monitoring tool. Passive TAPs do not need any power; therefore, they add a layer of redundancy, require little maintenance, and reduce overall expenses. If you plan to monitor Copper Ethernet traffic, then Active TAPs are what you need. They do require power, however, Niagara's Active Copper TAPs include Failsafe Bypass Technology which eliminates the risk of service interruptions in the event of a power outage.
3. Zero packet loss
Network TAPs can monitor both sides of a link individually, providing 100% visibility into bi-directional network traffic. TAPs do not drop any packets regardless of the bandwidth.
4. Good for moderate to high network utilization environments
A SPAN port can’t handle highly utilized network links without dropping packets; therefore, a network TAP is required for these situations. If traffic going out of the SPAN is larger than the traffic being received, then the SPAN port will become oversubscribed and be forced to drop packets. To capture 10Gb of bi-directional traffic, a SPAN port needs 20Gb of capacity, whereas a 10Gb Network TAP would be able to capture all 10Gb.
5. TAPs allow all traffic to pass through, including VLAN tags
SPAN ports often don’t allow VLAN tags to pass through, making it difficult to detect VLAN issues and creating false issues. TAPs allow all traffic to go through, which prevents these types of issues.