Why I like using a TAP even behind a “Mirror Port” of a switch

TAP

Definition: Network TAP and “Mirror Port”

Since the Ethernet Network invented the Micro Segmentation, the capturing of network has become more complicated, because a packet can not be seen at every point in the network.

A lot of of people encounter this problem with “Mirror Ports”. And in fact there are a lot of pros cons for that kind of solution, as you can read here:
WhitePaper: “Using the Cisco Span Port for San Analysis”

On the other hand you could use a so called “Network TAPs” (For example, a box like that one of Garland Technology.

Network TAP: Modes of operation:

A common Network TAP uses three modes of operation as it can be seen in the picture below:

Aggregation Mode:

  • Live network traffic flows between Port A and Port B.
  • The traffic which flows betwwen Port A and Port B is aggregated and can be monitored identically at Port C and Port D
  • Pros:
    • Absence of reaction
    • Passive
    • Invisible to the network
    • Link Failures could be transported (LFP)
    • Jumbo Frame support
    • Passes Physical Errors even to the monitoring Ports
    • 1 GBit/s Full Duplex Traffic could be captured at one link
  • Cons:
    • The full duplex traffic could be monitored reliable only if the monitor port as large as the aggregated full duplex capacity of the network link
    • Mostly perfect for Fast Ethernet network ports and 1 Gbit/s monitoring ports

Breakout Mode:

  • Live network traffic flows between Port A and Port B.
  • The traffic which flows from Port A to Port B can be monitored at Port C
  • The traffic which flows from Port B to Port A can be monitored at Port D
  • Pros:
    • Absence of reaction
    • Passive
    • Invisible to the network
    • Link Failures could be transported (LFP)
    • Jumbo Frame support
    • Passes Physical Errors even to the monitoring Ports
    • 1 GBit/s Full Duplex Traffic could be captured
  • Cons:
    • You neeed 2 capture interfaces
    • Captured must be merged
    • For most precise results an additional professional capture card is needed

SPAN/Regeneration Mode:

  • Live network traffic flows to Port A
  • The traffic which flows to Port A can be monitored at Port B, Port C and Port D
  • Pros:
    • Absence of reaction
    • Passive
    • Invisible to the network
    • Jumbo Frame support
    • Passes Physical Errors even to the monitoring Ports
    • 1 GBit/s downstream Traffic could be captured at one link
    • Traffic can be multiplied to different devices
  • Cons:
    • Special use case

That is what most of us already know about TAPs and “Mirror Ports”.

A TAP provides absence of reaction to the live network

From my point of view one of the most unargued benefits of a TAP is the absence of reaction to the live data which he can provide.
There are a lot of environments where nonreactive devices are a MUST. For exapmple especially the environments which are strongly focusssed on safety or security.
Let´s assume the following:
You and your customer like the usage of a mirror port. Why? Because, it is easy to configure, it does not disturb the service, some admins don´t need a change to do this kind of change and so on… In short it is quick and clean, like most admins would agree.
But infact it isn´t.
Because, if you have to take a capture in an foreign network (let us assume a customers network) then you are with your laptop directly inside their network.
Hopefully you have checked that the monitor port is nonreactive to the live network and your capture device is well prepared for capturing
So I personal prefer the usage of a TAP, if I am inside a foreign network with my own equipment.

But sometimes it is next to impossible to bring in a temporarily TAP into a network. For example if it is not allowed to disturb a service or something else.
So in this cases you have to use a mirror port… If you like it or not.

So the great question will be, how can we use the benefits of a mirror port (no service break) with creating a clean temporarily nonreactive point of demarcation.
The answer is quite simple as you can guess… Yes! We have to use a TAP behind the “Mirror Port”!
So if we disable the TAP Link Failur Propagation und use the TAP in the Regeneration or “Break Out” Mode all traffic from the “Mirror Port” will be forwarded to the TAPs monitor ports. And our capture device is connected with the nonreactive monitor port of the TAP.
TAP
So The TAP has helped us to build a clear and visible point of nonreactive demarcation. Indeed with all the cons of a mirror port, but with the gain of a nonreactive capture even at a mirror port. This is really a strong and often underestimated benefit if you have to work in sensible environments like industrial ethernets or something else.

Glossar


Microsegmentation      Placing single devices into its own collision domain
collision domain       Is an area in a computer network in which data packets can collide with one another 
TAPs                   Test Acces Point 
LFP                    Link Failur Propagation, propagates link failures in the live network

6 comments

  • Hm, I certainly see your point, but I think using a TAP behind a SPAN port is overkill, with one exception: when you have multiple capture/analysis devices receiving packets from a single SPAN port using Regeneration Mode.

    Using a TAP to “protect the network” doesn’t make much sense. It’s expensive (you need to buy a TAP), it adds complexity (if only a little), and it has no advantage when the capture setup is correct. Meaning: if you’re taking a Laptop to a customer site and use it to capture, disable ALL port bindings on the network card (works on Windows as well as on Linux) – that way the card cannot actively communicate at all, but it can still receive (=capture) incoming packets. This is capture setup 101 – if I ever catch anyone capturing with an active IP address on the capture card in a production network there will be hell to pay 🙂

    Plus, most SPAN ports of professional switches will not accept incoming packets anyway and drop them, but of course you can never assume that. Also, you’re right about TAPs: few customers will ever allow inserting a TAP into live connections unless it’s a single PC or server. I never had one in 12 years that allowed inserting temporary TAPs into backbone links, and I can see why.

    Like

    • Hi Jasper,
      I agree with you, it is a slightly overkilled use case, especially if you don’t own a TAP.
      The best practice scenario is still the scenario you explained in your comment.

      But as I mentioned in the title the article describes my personal opinion.
      I personal like this setup, because it reduce the possible failures even it is in a more tehoretical than a practical value.
      A non told requirement for that opinion is of course that you already own a TAP. (sorry about that)

      But there might be some special use cases were a clear physical nonreactive point of demarcation is needed or the best practice way is not alowed, who knows.
      So I just wanted to give those people something to think about with this kind of solution.

      All others can should use the best practice way using a mirror port.

      Like

    • Hi guys,
      Nice article.
      What does it mean to disable ALL port bindings on the network card ? Can you please provide any instruction ? What is the reason behind doing so ?

      BR
      Adam

      Like

  • Why not directly the monitoring station on the mirrored port?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s