SPAN ports

Q: Does a SPAN port do the same thing as a tap?

A: SPAN was originally defined by Cisco as an acronym for Switch Port Analyzer. It refers to port mirroring, as used on a network switch, which sends copies of data traffic on a specific ports or VLANs to network monitoring tools. These can include packet sniffers (e.g. Wireshark,) IDS (e.g. Snort), or Web analysis tools (e.g. Websense.) Like taps, SPAN ports can copy data from specific links, ports, or VLANs, but have limitations and shortcomings not typically associated with taps.

If a SPAN port has a large volume of data being sent through it, there are two distinct risks:

Packet loss due to oversubscription – network switches prioritize real time data traffic over SPAN traffic. If a switch is heavily utilized it will drop SPAN packet copies rather than risk dropping real time data.
In some instances, initiating a SPAN session when a switch is being heavily utilized can impact performance of the switch (this is generally the case with smaller switches such as work group models, and not true of robust core switches.)

Additionally, SPAN ports do not forward CRC’s, runts, fragments etc. (some taps forward such information to monitoring tools, while others do not. Contact Datacom Systems for more information.

TAPs

Q: What is a Network Tap?

A: A Tap is an in-line device placed into copper of fiber network links between devices such as firewalls, routers, switches, and servers. Its purpose is to borrow copies of the bi-directional (Rx and Tx) data from the tapped links, and send those data copies to monitoring tools.

Q: What is the difference between Passive and Active Network Taps?

A: Passive Taps do not require power for borrowing or generating copies of the data; power loss to the Tap produces no change in the state of the link. Fiber taps and certain 10/100 Ethernet taps are truly passive designs.

Active taps utilize power to borrow copies of the data. A relay based fail-safe bypass system allows traffic to flow on the link in the absence of power, but the link state changes briefly upon power loss or restoration. All 1G and 10G capable copper Taps use an active design.

Q: Do taps add significant latency to the tapped link?

A: Datacom’s CTP-1000 copper taps adds anywhere from 1.53 to as much as 77.83 microseconds of latency. This variability is a function of packet size distribution and utilization levels (larger packets and higher utilization levels cause increased latency. SINGLEstream copper aggregation taps can introduce as much as double the latency of the CTP-1000, but it is still well within acceptable levels.

Non-aggregating fiber, and 10/100 only copper Ethernet taps, add latency on the link equal only to the length of fiber or copper in the splitter assemblies. It is 10 nanoseconds or less – statistically insignificant.

Q: Is there added latency of the data going to the monitoring tools?

A: In the case of simple fiber or copper non-aggregating taps, the potential added latency is similar that of the tapped link. In all types of aggregating taps, there is additional latency, which varies depending on the architecture of the tap and the packet size and distribution. Contact Datacom Systems for more information.

Q: Do taps support (pass) Power Over Ethernet? (PoE)

A: Datacom’s model CTP-1000 supports all PoE schemas. See FAQ section on SINGLEstream aggregation taps for specific information about PoE support in those models.

SINGLEstream Aggregation Taps

Q: What is the difference between non-aggregating and aggregating taps?

A: Non aggregating taps (also known as simple duplex taps) provide separate copies of the data streams from each side of a duplex link. There is zero risk of oversubscription or packet loss inside the tap. Monitoring tools with dual capture NICs and software that can recombine the data streams are required, if the user wishes to see both sides of the duplex conversation in a single view.

Aggregating taps – branded as SINGLEstream by Datacom Systems, offer the option of merging the copies of Rx and Tx, then sending them out a monitor port as a single data stream. This allows monitoring tools with only a single capture NIC (e.g. Wireshark or Snort) to view both sides of the conversation without dual capture NICs or special software. If the aggregate utilization of the link exceeds 50%, then there is a risk of packet loss in the tap due to over-subscription. (i.e. the two sides of a 1000 Mbps 1G link have the theoretical capacity of 2000 Mbps, because it is a bi-directional link,)

Q: Can tap ports be left at Auto-Negotiate?

A: If both link endpoints are capable of the same maximum speed, then the Network ports of the tap should be left at Auto-Negotiate. If the two link endpoints have different maximum speed capability (e.g. a 10/100 device is at one end of the link and a 10/100/1000 device is at the other end of the link,) then both ends should be hard set to the maximum possible speed.

Q: Do taps allow monitoring tools to be be visible on the network?

A: The Network ports of a tap have no IP or MAC address and are not seen as device ports by the network. In the case of passive taps, the monitoring tools are always invisible to the network (through the tapped link.)

Certain models of SINGLEstream copper aggregation taps can be configured to allow active response from the the tool monitor port – e.g. TCP Reset packets – to be sent back onto the network via the tap’s network ports (SS-1200, SS-2200, and SS-4200 series.) In this instance, the tap can be configured to allow tool access back onto the link, but this all monitor configurations are disabled by default when a new tap is shipped. The user must select such a configuration when initially setting up the tap.

Q: Are Jumbo Frames, VLAN tags and error frames be passed to the tools when using these taps?

A: Model series SS-1200, SS-2200, and SS-4200 series pass CRC errors, but do not support do not pass Jumbo frames on the tapped copper link itself. New models SS-G4C8C4S, SS-G6C4C4S, and SS-8GC4S (4, 6, and 8 link tap models) do support passing Jumbo frames on the link as well as to the tools.

Q: Do SINGLEstream Aggregation taps support Power Over Ethernet (PoE?)

A: Model series SS-1200, SS-2200, and SS-4200 series do not support PoE, but new models SS-G4C8C4S, SS-G6C4C4S, and SS-8GC4S (4, 6, and 8 link tap models) do support all schemas of PoE on the Network ports (i.e. the tapped links.)

VERSAstream Network Packet Brokers

Q: What is a Network Packet Broker?

A: A network packet broker is an out-of-band device (not used in-line like a tap.) It has multiple ports, and accepts data copies from sources such as taps or SPAN ports. It can then aggregate these sources into one or more output streams or groups of data, and send them to one or more monitoring tools.

Q: Can a network packet broker be used as a tap?

A: Technically speaking, a packet broker can have two ports configured to pass data through in both directions between endpoints, and send copies of that data to tools connected to other ports. This configuration provides no power fault tolerance in the event of power loss to the packet broker, and is not a recommended application.

Q: How does Datacom’s network packet broker load balancing work?

A: The load balancing algorithm used is a session based hash. Any given session will be “sticky” to a specific port that is part of the LBG ( Load Balanced Group.) It provides a failover mechanism that does not disrupt flows on unaffected links when flows from a failed link are redistributed. When a port that is a member of an LBG goes down, the flows previously hashed to the failed port are redistributed to the remaining ports without affecting the flows previously assigned to the unaffected ports.

DURAstream Bypass Switches

Q: What is a bypass switch?

A: The bypass switch is a specialized in-line device used primarily to protect the integrity of a link when active in-line tools are in use. It is placed in a production link – typically between a firewall and router or between a router and a switch. Inbound and outbound traffic passes first into the bypass switch, then loops through the in-line appliance via a pair of “appliance ports.” The presence of the bypass switch, apart from a small amount of added latency, is invisible to the network. The switch generates and monitors receipt of user configurable “heartbeat” packets. If the packets pass too slowly – indicating that performance of the -in-line tool is failing, or if they stop altogether – indicating a tool failure, the bypass switch automatically pushes the link through a bypass mechanism, thereby routing traffic directly through. This also allows the user to manually force the tool off-line to performance upgrades or tool replacement. Loss of link will cause the tool to be bypassed.

Q: If the bypass switch routes traffic around a failed in-line tool, then how can I protect my network?

A: Bypass switches that support more than one in-line tool are the best choice for most networks. They can be used to support an HA (High Availability) scenario, in which the backup or passive tool automatically takes over is the active or primary tool fails or is manually taken off-line.

Q: Where or when would I use a dual bypass switch?

A: Dual bypass switches that support two tools and two links are required for protecting active-passive or dynamically bonded link pairs, such as dual Firewall-Router connections. In this scenario, the bypass switch can provide protection for a failed tool or a failed link, rerouting traffic to the alternate tool, alternate link, or both – as needed,

Q: Can I use a tap or packet broker as a bypass switch for inline tools?

Taps do not offer a heartbeat feature and tap monitor ports or packet brokers do not have passive bypass protection when used as pass-throughs for active links. This is not a recommended usage.

Q: If my in-line tool already has a built-in bypass feature, then what is the benefit of a bypass switch?

A: Many in-line tool vendors may state that their product “fails open” or “fails to wire if the tool loses power. It is strongly recommended that such products be tested to verify these claims. More important is that such a “fail open” feature does not respond when traffic is passing through the in-line tool too slowly – indicating a performance issue. The heartbeat feature of a bypass switch accounts for this possible scenario, and is also user configurable. Furthermore, and perhaps most important, is the value of High Availability with an active-passive pair of in-line tools. This is another crucial feature of bypass switches that is unavailable from a built-in “fail-open feature. Bypass switches with High Availability also also allows the in-line tool hardware itself to have firmware upgraded or hardware replaced without losing protection for the link.

Additional Topics

Filtering

Q: What is filtering in the context of taps or network packet brokers?

A: Data traffic can be filtered “post-capture” by using a software based filter that displays only packets of specific interest. The data can be filtered to show only certain protocols, specific IP Addresses, etc. Software based filters can also be used during the actual capture process, but they are inefficient and typically are unable to keep pace with the high data rate coming from taps and/or packet brokers. The industry standard syntax for CLI (Command Line Interface) filters is the one used for Wireshark – the industry’s leading open source packet capture and analysis software.

Hardware based filtering is far more efficient than software filtering, and is able to keep up with high data rates and throughput. This allows very specific types of data to be directed to specific tools, while other tools may need to see all the data or some different subset of it. Most taps and NPB’s (network packet brokers) that include hardware based filtering require the user to select either an Ingress or Egress filter. Ingress filters are applied at the point where the data enters the tap or NPB. This will reduce the risk of oversubscribing the backplane of that device if it has many streams of data entering it, but when specific data is filtered at the Ingress point, no other data that was entering that port will be available for other monitor ports or tools – it has been globally excluded. Egress filters can be applied separately on any monitor port to include or exclude specific data. Unlike Ingress filters, they do not have global impact on other ports. Most users find it tedious and time consuming to create separate Ingress and Egress filters, determine where they should be applied, and decide which to use.

Datacom’s newest generation of taps and packet have a unique filtering system that eliminates the need to create separate Ingress and Egress filters. Rather than being applied at the input or output port, it is placed between the input and output port. The robust nature and abundant bandwidth of the backplane in Datacom’s newest products greatly minimizes the risk pf oversubscription within the device itself. Users can focus mostly on configuring the filters to reduce oversubscription risk on individual monitor ports, minimize risk of oversubscribing the throughput capacity of the monitoring tool, or both.

Q: What is “packet slicing” and do Datacom products support this feature

A: Packet Slicing is a function included in some network taps, but more typically is seen in high end network packet brokers. It allows removal of the payload (contents) from data packets that are being sent to monitoring and capture tools, while still retaining the important header information. In many cases the payload is not relevant to network monitoring and security analysis (which has often been done by other tools such as IPS or DPI, prior to the packets reaching out-of-band tools. Packet slicing can improve throughput and make storage capacity of tools more efficient. In some cases, data that is stored for regulatory or compliance reasons may have sensitive information in the payload – which should not be retained.

At present, Datacom Systems does not offer this feature, but is is scheduled for inclusion in several new high density high speed packet brokers, as well as being a feature of an adjunct ”super port” box, which can add this and other additional functionality to existing products.