Which Network Tap is Right for You?

André Vink By: André Vink September 25, 2018

If you haven’t seen our white paper discussing the main differences between network taps and SPAN ports, now is a good time. In any case, it’s worthwhile to point out a few key benefits of network taps. For example, once the taps are installed, they’ll offer you a relatively easy way to interchange (attach and detach) monitoring and analysis tools.

Since the devices that are attached to the taps are out-of-band (non-intrusive), they do not place any extra load on, or use up, the network resources, nor the processing features of the network switches. This allows the devices to quickly respond to malevolent invasions, breaches, etc., sending appropriate notifications and taking relevant security steps.

However, before you go and commit to a network tap, you must first choose the right type(s) that best suit your needs. There are many types of taps, and you should be aware of their particular features and advantages. The rest of this blog will be devoted to just that: Helping you to understand what you should be aware of when selecting network taps. Enjoy!

The Right Tap for the Right Job

Network taps come in a variety of types, each with its own particular set of strengths and features. As we’ve discussed in the past, taps are physical (hardware) components but do not affect the traffic flow. If there is a power outage at a rack where a tap is physically located, the tap nevertheless ensures business continuity since the traffic data packets do not get dropped. The taps thus enable 100% visibility for the rest of the network, since 100% of all network data traffic passes through without causing bottlenecks or points of failure in your network design.

The differences between active and passive network taps were covered in previous blogs, such as “Active Taps for Complete Network Visibility”.

Briefly, standard network taps connect inspection, monitoring, and analysis tools and devices to the network at key tap access points. As mentioned earlier, they are “non-intrusive” in the sense that they do not interrupt traffic or otherwise affect the network link and performance.

In addition to standard network taps, we’d like to introduce you to the current range of tap types that include (in alphabetical order):

  • Filterable taps
  • Link aggregation taps
  • Port aggregation taps
  • Portable Network Taps
  • Regeneration taps
  • Virtual Taps

Note that many of the ‘feature taps’ described in this blog are adopting selected features from Network Packet Brokers (NPB) to increase their efficiency and deployability. Alternatively, you will find vendors are also incorporating tap capabilities inside the NPB to achieve the same results.  Before delving into the tap types, also note that a bypass switch segment is user configurable to perform as an active network tap.

Filterable Taps

Since analyzing network traffic at the very high speeds of 10Gb and higher is very resource intensive, using the filterable tap to “downsize” the traffic, makes the "filterable" network tap an especially valuable device. Leveraging port capacity and using the advanced filtering, prevents data packets from dropping and ensures pervasive visibility, thanks to complete data capture.

Filtering access is considered to be the best method for analyzing your business-critical traffic. A tap that is filterable is an essential element for monitoring specific traffic and data network metrics, such as checking for frame issues such as errors and corrupted frames in IPv6.

Link Aggregation Taps

A link aggregation tap aggregates copies of network traffic data captured at several links and sends the copies to a single inspection port.

Port Aggregation Taps

Port aggregation taps offer the advantage of a full duplex traffic view, using a single network port instead of two. These taps are very similar in their functioning to standard network taps, where each direction is monitored on a separate port (breakout or split mode). Like the standard taps, they allow access to a single network segment, but these taps enable you to attach up to two inspection or monitoring tools (this is dependent on the configuration of the port aggregator).

Portable Network Taps

The portable network tap is a type of tap that is designed to be simple to install in any network topology and to configure with any network device. It is a tabletop device that does not need a full rack mount and is thus also more efficient in its space requirements because of its smaller form. This also makes it more cost effective for small deployments. Probably its main strength is its portability, that makes it the perfect tap for remote locations.

The portable network may also support some of the tap features that we highlighted, such as:

  • Port aggregation
  • Filtering
Additional portable network tap advantages may support both fiber and copper network links.

Regeneration Taps

A regeneration tap copies network traffic from a single link and then regenerates it onto multiple inspection ports. The mechanism enables each inspection or analysis tool to simultaneously view the exact same traffic at the same instant. You thereby achieve comprehensive and pervasive network visibility, by enabling access to permanent but passive inspection into your network’s health at key access points.

These taps also enhance network security monitoring by empowering concurrent multiple tools and devices such as protocol analyzers, remote network monitoring (RMON) tools, intrusion detection and prevention systems (IDPS), and other similar tools and devices.

Virtual Taps

Virtual taps are a newer breed of taps, specifically designed to enable visibility into traffic between virtual machines (VMs). Traffic in virtual machines cannot cross a physical port, therefore virtual taps provide east-west traffic access and transmit the ‘virtual’ monitored traffic via encapsulated tunnels to the physical inspection devices. Virtual taps that support the maximum number of hypervisor deployments are best.

Bonus: BiDi (Bidirectional) Taps

Bidirectional (BiDi) taps are in a category by themselves. They are multi-mode fiber network taps that provide visibility to bidirectional 40Gb traffic. Since BiDi utilizes multiple wavelengths within a single fiber cable in its transceiver technology, then the standard fiber tap technology will not work.

For more on how BiDi optical technology works, see “Network Capacity Planning Made Simple with Advanced BiDi Optical Technology”.


Every organization has its particular needs. Selecting the right tap or (combination of tap types) is important to set up the optimum network monitoring and inspection superstructure on top of and in sync with your network’s overall topology. Both standard and traditional taps, as well as the new breeds, should be considered when you plan to enhance and empower your business-critical network needs and network security.

Niagara Networks is at your service for consultation, and our free related resources and blogs will offer you a wealth of information on this and other vital network topics.

Span vs. Tap