Network Taps vs. SPAN Ports

A SPAN Port or Port mirroring is used on a network switch to send a copy of all network packets seen on one switch to a network monitoring connection on another switch port. SPAN Ports are commonly configured to be connected to network devices that require monitoring or analyzing network traffic, such as a protocol analyzer or intrusion detection system (IDS).

Network Taps which are also used in network and security monitoring applications create permanent access ports for passive monitoring. A tap, or test access port, can be set up between any two network devices, such as firewalls, routers, and switches. Network appliances can simply plug into the access port created by the tap and receive "in-line" data.

The Seven Layers of the OSI Model

Network taps are passive devices. They simply allow a copy of the data from the network segment pass through to the devices connected to the tap port. Because the monitoring devices connected to the tap receive and exact copy of the network traffic, they also receive all Layer 1 (Physical) and Layer 2 (Data Access) data. This includes all errors, such as CRC and "runts."

Conversely, when a monitoring device is connected to the SPAN port of a network switch, it does not see all the traffic. Switches discard all layer 1 and most layer 2 data, including corrupt packets. Bad frames or faulty network interface cards (NIC) cannot be detected with the monitoring tools.

Real-Time Data Access

Network taps accomplish passing an exact duplicate of data to its tap ports by splitting or regenerating a full-duplex network signal. Fiber (or optical) signals are split. Copper (or electrical) signals are regenerated. Both signal splitting and signal regeneration occur without any delay, nor do they interfere with the data packet content in any way. Network taps pass through full-duplex data at line rate.

Network switches may require extra time to copy spanned data packets before sending them through the SPAN Port. This is often the result of a switch needing more overhead due to its software. Signal conversion may also cause delay if the network signal is being converted from electrical to optical. Finally, a network switch is constrained by the capacity of its SPAN port. For example, if a link is operating at 100Mbps full-duplex, a 100MBps SPAN Port would suffer from over subscription because the combined bi-directional traffic is 200Mbps. Even Gigabit SPAN Ports can suffer from over subscription as more and more traffic gets sent through multi-port switches.

Maximizing Network Performance and Resources

Network switches are designed to "switch" or direct traffic to connected devices. By increasing the load on a network switch through port spanning, overall network performance can degrade, especially when considering the possible delay introduced to the network and the connected monitoring devices when a switch is required to regenerate data.

Network Taps conserve valuable switch ports. They are devices that require no configuration and no management. Taps will not degrade network performance.

Network Taps are optimal for environments where multiple personnel (e.g. security and network management) need to work together. Because network switches have a limited number of SPAN ports, it is often impossible to connect all the devices required to perform the troubleshooting and monitoring that enterprises require. Network Taps allow you to connect more devices to your network without having to compete over SPAN port access or reconfigure SPAN ports for specific applications.