Most enterprise switches copy the activity of one or more ports through a Switch Port Analyzer (SPAN) port, also known as a mirror port. An analysis device can then be attached to the SPAN port to access network traffic.
A TAP (Test Access Point) is a passive splitting mechanism installed between a ‘device of interest’ and the network. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring device in real time.
Low cost
Remotely configurable from any system connected to the switch
Captures intra-switch traffic
Eliminates the risk of dropped packets*
Monitoring device receives all packets, including physical errors
Provides full visibility into full-duplex networks
Cannot handle heavily utilized full-duplex links without dropping packets
Filters out physical layer errors, hampering some types of analysis
Burden placed on a switch’s CPU to copy all data passing through ports
Can change the timing of frame interaction altering response times
Switch prioritizes SPAN port data lower than regular port-to-port data
Analysis device may need dual-receive capture interface*
Additional cost with purchase of TAP hardware
Cannot monitor intra-switch traffic
When deciding whether to use a TAP or SPAN the two primary factors that will affect your decisiont are the type of analysis and amount of bandwidth.
A SPAN port performs well on low-utilized networks or when analysis is not affected by dropped packets.
A TAP is ideal when analysis requires seeing all the traffic, including physical-layer errors. A TAP is required if network utilization is moderate to heavy. An Aggregator TAP can be used as an effective compromise between a TAP and SPAN port, delivering some of the advantages of a TAP and none of the disadvantages of a SPAN port.
