The _____ port is also known as a switched port analysis (span) port or mirror port.

Make The Right Choice For Monitoring Data Capture

WWhen monitoring a data network, you need quick and easy data access. A short delay or capturing the wrong data, can cost you thousands of dollars and result in longer troubleshooting time.

Keep in mind that you have choices when collecting monitoring data. Your choice of network monitoring equipment will affect the complexity and effectiveness of your monitoring strategy. The two most common ways of accessing monitoring data are through either a switched port analyzer (SPAN) port or a test access port (Tap).

A tap is a purpose-built device that passively makes a copy of network data but does not alter the data. Once you install it, you are done. No programming is required.

SPAN ports, also called mirror ports, are part of Layer 2 and 3 network switches. They are active devices and will require you to program them to copy the data desired.

Taps are the best choice when it comes to ease of data capture, versatility of location for data capture, and programming costs. Read this white paper to get more information on how to dimension taps within your network.

There is a clear difference between taps and SPANs. Taps offer significant advantages over SPAN ports when monitoring the network.

One benefit is that you can "set and forget" taps because they are a one-time intrusion to the network. SPAN ports require you to configure the switch (or switches) every time you want to change the switch data that needs to be copied.

Once installed, taps and a network packet broker eliminate the need for many Change Board Review processes because you do not need to touch the live network. You just filter and analyze the readily available monitoring data to get the troubleshooting, performance, security-related, and compliance data you need.

Taps are also versatile and you can deploy them anywhere across your network. This gives you the ability to tap ingress, egress, remote links, problem links, etc. with almost no restrictions, unlike the SPAN port which is tied specifically to a network switch and the switch’s physical location.

Take a look at this solution brief to see the differences.

SPAN Ports Can Lie

Keep in mind is that network switches (and their SPAN ports) introduce mechanisms on ingress ports to eliminate corrupt packets and also packets that are below a minimum size. While this may sound beneficial, the problem with this approach is that monitoring devices for troubleshooting normally require the capture of all data within the egress segment. Key clues can be contained in this data. Switches and SPAN ports can drop Layer 1 and select Layer 2 data as well, depending on priority level.

By contrast, a tap passes on all of the data on a link. This includes capturing everything needed to properly troubleshoot common physical layer problems, including bad frames that can be caused by a faulty NIC.

Cost Analysis

The chart to the right is an attempt to perform an “apples to apples” comparison with respect to SPAN port and Tap port programming.

ASSUMPTIONS

• The cost to administer a Tap is typically $0
• Proper SPAN port mirroring requires a network engineer to configure the switches (CLI programming + filter validation)
• Labor rate = $100/hr
• Programming for each SPAN session get progressively more time intensive to create a correct filter and troubleshoot it

Administration costs for SPAN sessions start Day 1. In this conservative example, the average annual recurring maintenance costs ($6,890) for SPAN sessions could have been redeployed to buy an average of 10 Taps (annually).

CONFIGURATION PROGRAMMING COST COMPARISON
(FOR 1ST YEAR)

Is Partial Coverage Good Enough?

Taps offer the ability to collect data anywhere in the network, not just where the Layer 2 or Layer 3 switches are located.

Tap Vs SPAN Comparsion Table

While SPAN ports create a mirrored copy of network data, there are a host of issues associated with them and you need to factor this into your monitoring strategy. See the adjacent table for a comparison of the two data capture methods.

Featured Resources

The following resources are available to help you with your research

Want help or have questions?

Which network monitoring method can be used to ensure that all traffic sent to any port on a switch is also sent to a device connected to the mirrored port?

What are the main features that differentiate the test access point tap from a switched port analyzer span )? Select all that apply?

Is a series of steps or processes used by an attacker in a logical sequence?

Is an event that triggers alarms and causes a false positive when no actual attacks are in progress?