Network taps vs. port mirroring

Network taps vs. port mirroring – Special focus: voice networks

Tom Gallarin

Monitoring/analysis tools and intrusion-detection (IDS) devices depend on either capturing or monitoring data packets from the network, while minimizing impact on its flow. There are two primary methods of acquiring and reading data on switched enterprise networks: port mirroring (or spanning) and in-line network tapping–both with advantages and disadvantages.

Port mirroring features are implemented in nearly all enterprise class switches. The typical enterprise switch has a designated mirror port to which an analyzer or probe may be attached. Traffic from one or more network ports is switched through the backplane to its normal destination port and copied to the mirror port.

The switch-management utility can be used to configure the selection of ports to be mirrored. Some switches, however, are only able to mirror traffic flowing into the ports, while others are able to mirror both in and out traffic of a mirrored port. To avoid forwarding corrupt traffic into the network, most switches filter errors and will not mirror these packets.

Port mirroring is economical and easy to use, with no new equipment required, allows viewing of traffic on all links of a VLAN on a switch, as well as viewing data from multiple links, mirrored to one analyzer.

With port mirroring, however, multiple ports mirrored to one port can cause buffer overflow and dropped packets. Since packets go through a buffer and are retimed, accurate time-sensitive measurements–such as jitter, packet gap analysis or latency–are difficult. In addition, most mirror ports filter anomalies, thus making trouble-shooting a challenge, and turning on port mirroring puts a load on the switch’s CPU/transfer logic, thus impacting the switch’s operational performance.

In-line taps are inserted directly into a link. They split or copy the signals from both channels and retransmit the data streams hack out to the link and to the probe. Optical taps contain a pair of passive optical beam splitters and no powered components. Light entering the tap from each channel is divided and separately channeled out to the link and to the probe. Since the light is effectively split in half, an attenuation factor should be calculated into the optical power budget.

Taps do not require configuration and are passive and fault tolerant: 10/100 Ethernet taps should not even participate in link negotiation and, therefore, should be invisible to the network. To avoid undesirable service outages when a tool is needed on a link, taps should be permanently installed in backbone and critical links when the cable is being pulled or during scheduled down times.

Taps can see 100% of the packets, as well as anomalies to support troubleshooting. Timing values with taps are accurate, and they can be installed one time in the link, with the analyzer attached or moved without disruption to the network. Taps, however, require an extra product to purchase, see only one link at a time and occupy rack space unless left free standing.

Taps are best applied for mission-critical or business-critical links. Having pre-installed taps in these links, IT engineers can trouble-shoot occasional anomalies and other problems without taking down the link to insert an analyzer. Core or backbone links with high bandwidth utilization should be pre-tapped to allow installation, moving and removal of probes and monitors without breaking the links.

For troubleshooting, taps operate on the signal level and do not recognize packets, sending a copy of the actual packets, legal and otherwise, from the media. For intrusion-detection monitoring, the link supporting the firewall offers a place for a tap to provide a complete data stream to the intrusion-detection system. These systems depend on complete data streams to recognize intruder patterns. Finally, multiport switching taps can be used where any one of a set of server links may be remotely viewed in rotation or upon need.

For more information from Finisar:

COPYRIGHT 2003 Nelson Publishing

COPYRIGHT 2003 Gale Group