Network Taps, in addition to being available for copper or fiber media, can be purchased in a fixed configuration, typically called “duplex Taps” – or as “Aggregation Taps.” The latter category offers options for how the data copies are distributed among the monitor ports. This article will clarify the differences between the two Tap types, as well as exploring the rationale for different Tap configurations, and examples of their applications.
Taps Overview
Simple Duplex Taps are passive or non-intrusive, inserted into a production link, and send copies of the two sides of the link (Rx and Tx) out two separate monitor ports. A significant benefit is that they are moderately priced and non-managed devices (do not require management port connectivity or configuration.) But… there are some limitations to this tap style. Many data capture and analysis devices have only a single Capture NIC (capture interface) on which they can receive data. A good example of this is a laptop running the open source Wireshark packet sniffer program. Additionally, even if a second capture NIC is added, it is necessary to have specialized capture/analysis software that can recombine the Rx and Tx data streams, thus allowing the user to view the original duplex conversation in its entirety – on a single screen. An out of band device (i.e. not used in a link) known as a network packet broker can accept the two data streams from a simple duplex tap, multiple taps, and also SPAN ports, allowing them to be aggregated together and sent out one or more monitor ports to tools that have only one Capture NIC.
But what if a network packet broker is not a good fit for the application?
Enter… the Aggregation Tap. Available for both copper and fiber media, this device can be configured to internally aggregate or merge the Rx and Tx data stream copies. This allows devices with a single Capture NIC to receive and view the duplex conversation in its entirety – without requiring highly specialized software. This can be a simple copper 1G capable tap, which has a slider switch allowing it to be used as a simple duplex Tap or an aggregation Tap with two monitor ports
Many aggregation tap models are more complex, have the capability to tap multiple links, send data to more than two monitoring tools, send both aggregated and non-aggregated data copies, and more.
Additional benefits of aggregation Taps include:
1) Multiple monitor ports, allowing multiple tools to view and capture the same aggregated data stream
2) Models with multiple taps, allowing more than one link to be merged into a single data stream
3) “Any-to-Any” monitor ports, which allow additional inputs from other Taps or SPAN ports to be aggregated
4) Media conversion for monitor ports – allowing fiber Taps to send data to copper monitoring tools or vice versa 5) Speed conversion – allowing merged data from lower speed links to be sent out at a higher speed to tools (e.g. 1G links sent to a 10G tool)
Tap Configuration
Aggregation tap users must make conscious choices about what to do with data copies, thus determining how the tap will be configured.
These include:
- Sending data as an aggregated data stream to more than two monitoring tools
- Sending non-aggregated data (separate Rx and Tx copies) to one specialized tool, while also sending aggregated data streams to others
- Aggregating data from 2 or 4 links to a single tool
- Using hardware based filtering to parse data and send only certain types of data out certain monitor ports
Configuration Examples
- Simple duplex Tap with slider switch to also yield aggregated output
- This is standard deployment for any fixed simple duplex Tap (non-aggregating.) Note that a specialized capture tool with dual capture NICs and special software must be used in order to view the entire original full duplex conversation.
(Datacom Systems CTP-1000) https://www.datacomsystems.com/copper-taps/
- Same Tap but used in Aggregation mode. The Rx and Tx data stream copies are aggregated. Identical copies of the merged data stream are sent out both monitor ports, allowing two separate tools, each with just a single capture NIC to view both sides of conversation.
(Datacom Systems SINGLEstream model SS-2206BT-BT-S)
https://www.datacomsystems.com/singlestream-link-aggregation-taps/
- Dual link aggregation Tap being used to aggregate data from an Active-Passive Firewall link pair. Data copies from both links are aggregated into a single data stream that is viewed by a single monitoring tool. In the event that the Active firewall link fails, the traffic automatically shifts to the Passive link. This Tap configuration ensures that the monitoring tools continue to receive data uninterrupted – even though the Active link failed. An identical deployment is used for firewall link pairs that are dynamically load balanced and both Active at all times – except in the event of a link failure.
(Datacom Systems SINGLEstream model SS-G4C8C4S)
https://www.datacomsystems.com/singlestream-g-series-link-aggregation-taps/
- Multi-link high density aggregation Tap with additional Any-to-Any monitor ports that can function like a packet broker, accepting data from other taps and/or SPAN ports. This product family has four SFP+ ports in every model, allowing aggregated data to be sent to 10G monitoring tools, with the higher throughput capacity needed for larger amounts of merged data.
For individual guidance on the most optimal tap configurations for your network, and a detailed explanation of the commands used to create them, contact Datacom Systems at support@datacomsystems.com or +1 315-463-9541
