Data Center Network Monitoring with TAPs

Hello All,

Was wondering what folks are using to monitor traffic
on their networks. Looking into Ixia and APCON devices for dedup and
other filtering features as well as passive fiber TAPs to capture the

How are folks handling TAP'ing large data center
networks? TAPs at the "distribution layer" would be the best fit for my
network but that would require a ton of passive fiber TAPs for the
incoming fibers to the distribution switches. The end goal is to not
only capture the north-south traffic on the network but also east-west
traffic. It seems more efficient to just use SPANs but there are many
limitations using SPANs.

Thanks in advance for any suggestions.


Ultimately this is one of the things that SDN schemes such as OpenFlow bring a data center for free. Distributed flow statistics collection through OenFlow's extensible infrastructure gives you a huge range of reporting and analysis capabilities, with no taps needed. Every network port is in essence a tap.

Here's an interesting paper on one open source OF tool:

-mel beckman

Take a look at flow telemetry options you have for your IDC hardware - a combination of flow telemetry, plus the ability to divert traffic into an instrumented sinkhole for full packet-capture is something to consider.

SPAN sessions count against your frames per-second budget; not recommended for serious, high-traffic applications.

Here's a recent forum thread that discussed the same exact topic. You might
find some insight:

I'm designing the first phase of a datacenter network monitoring project
for my company. We are starting with SPAN at access layer and plan to
control traffic volume using filtering, slicing, de-dupe, etc. There are
instances when we need to do capacity/delay analysis on L2 traffic and
Ixia, APCON, Emulex etc. are coming out with flow generators for SPAN/TAP

We may decide to go with TAP in the future as we found a vendor that was
willing to implement functionality to allow us to offload flow generation
from our access/distribution/core devices by creating templates based on
the source device/interface. In essence, to our monitoring tools, netflow
traffic will seem as if it is coming from the real device.

Best Regards,

Kristian J. Francisco

Some colleagues wrote up Microsoft DEMon: