What are SPAN ports?
SPAN was originally defined by Cisco as an acronym for Switch Port Analyzer. It refers to port mirroring, as used on a network switch, which sends copies of data traffic on specific ports or VLANs to network monitoring tools. These can include packet sniffers (e.g. Wireshark,) IDS (e.g. Snort), or Web analysis tools (e.g. Websense.) Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN.) Other common terms for this feature include Port Mirroring, but SPAN has become a generic industry term, regardless of switch manufacturer. Cisco also offers Remote Switched Port Analyzer (RSPAN,) allowing SPAN ports on remote switches to be brought back across the network to the SPAN port of the primary switch, to which the tool is attached.
What are network TAPs?
TAPs are dedicated hardware devices providing access to the data flowing on a fiber or copper link between two network devices (e.g. a switch and router, firewall and router, etc.) A basic TAP has a minimum of four ports. The two “Network ports” connect to the link endpoints and provides a non-intrusive pass-through for data traffic. The two “Monitor ports” hand off copies of the link traffic to the monitoring tools. A simple duplex TAP hands off copies of the data coming from one endpoint device out the first monitor port, and copies from the other endpoint device out the second monitor port. Variations include TAPs with the capability to merge data from both sides of the duplex link (aggregation TAPs,) the capacity to send multiple copies of the data to a variety of tools (regeneration TAPs,) and models that tap multiple links in a single unit (multi-link TAPs.) These will be discussed in detail in a future installment of this series.
Benefits of TAPs
The advantages of using TAPs rather than SPAN ports for monitoring tool access are myriad. Let’s examine those before assessing the benefits of SPAN ports.
One-time setup and configuration
The simplest TAPs need only to be physically connected to the cabling between link endpoints. More feature rich taps may require initial configuration of a management port and monitor ports, but this is typically done only once – at time of install. Once installed, it will always send data from that link to the tools of your choice SPAN ports must be configured each time you wish to change the source (ports or VLANs) sending data to the tools. In many environments, this requires a scheduled Change Control window, and in some industries (e.g. securities trading) it cannot be done during weekday business hours.
Little to no risk of packet loss caused by high utilization
Duplex non-aggregated TAPs pass every packet through to the Monitor Ports with zero risk of loss (aggregation TAPs may present a small risk of oversubscription.) If a SPAN port has a large volume of data being sent through it, there are two distinct risks:
1. Packet loss due to oversubscription – network switches prioritize real time data traffic over SPAN traffic. If a switch is heavily utilized it will drop SPAN packet copies rather than risk dropping real time data.
2. In some instances, initiating a SPAN session when a switch is being heavily utilized can impact performance of the switch (this is generally the case with smaller switches such as work group models, and not true of robust core switches.)
All packets are passed to the tools
Network troubleshooting often involves using packet sniffers to examine the number of runts, fragments, and CRC’s. SPAN ports identify these as “bad packets” and discard them.
TAPs can be placed on in any link that needs to be monitored. They provide information about the specific activity on the link, rather than just showing what is coming from the switch. Also, they are not tied to the physical location of a switch. If dark fiber or extra copper runs are available, a tap can be deployed remotely in a building or on a campus, with the Monitor Port data being sent via “home run” to the location of the tool.
Permanent point of access
In some environments there are links which may occasionally require direct visibility to be available, but there is no proven need for constant 24×7 monitoring. Installing TAPs in such links allows field personnel with portable troubleshooting equipment to connect and diagnose problems – without ever interrupting the link activity.
Although it can generally be assumed that a switch on the trusted side of a network is secure, switches in the DMZ are more vulnerable to attacks. TAPs are invisible to the network. If traffic on a specific link is hacked, the TAP still provides 100% visibility to the security tools.
Benefits of SPAN Ports
With so many evident benefits derived from using TAPs, what is the argument in favor of SPAN ports?
No cost for acquisition
SPAN ports are a feature already built into most network switches. No additional hardware cost is involved in deploying them.
Ideal for occasional reactive troubleshooting
Most networks have hundreds, or many thousands of individual physical links to workstations, servers, and a broad array of other devices that are not part of the core network’s critical infrastructure. There may also be IDF’s (Independent Data Facilities) or even satellite offices that have only a few switches. It is usually impractical to provide constant monitoring of such locations with TAPs. Problems experienced at such sites are typically an infrequent occurrence, requiring reactive troubleshooting, when such issues occur. The use of SPAN or RSPAN is often an ideal solution for these instances.
The use of TAPs does not preclude the use of SPAN ports. In many cases, users connect both TAPs and SPAN ports to Network Packet Brokers (devices that accept multiple data source inputs, which can be aggregated, replicated, and even filtered to send only specific types or sources of data to the monitoring tools.) SPAN ports are also a quick and easy way to perform diagnostics and isolate issues at location where 24×7 monitoring is not required. Field techs with a laptop running Wireshark or other troubleshooting tools can easily connect with taking links down to temporarily install a TAP.
Network Packet brokers will be discussed in detail in a future installment of this series.