SPANS Vs Taps

Bein_Matthew · July 1, 2010, 8:48pm

As I was doing a design today. I found that I had a bunch of 100 MB
connections that I was going to bring into a aggregation tap. Then I was
thinking, why don't I use a switch like a Cisco 3560 to gain more
density. Anyone run into this? Any down falls with using a switch to
aggregate instead of a true port aggregator??

Regards,

Matthew

Gary_Gladney · July 1, 2010, 9:27pm

Depends on the the bunch of 100MB connections. On the down side, when aggregating using a Cisco switch is a limit on the number of switch ports you can aggregate. On the up side, you don't have to be concerned about another device between the switch and device you want to connect to.

Gary

Gary Gladney
Space Telescope Science Institute
Email: gladney@stsci.edu
Voice: 410.338.4912
Public Key: ldap://certserver.pgp.com

Darren_Bolding · July 1, 2010, 11:24pm

Tap manufactures will be sure to tell you of many issues.

The main concern I would have is that it is possible for a switch to drop
frames of a SPAN. Your decision might be influenced based on your
application and the impact of such errors (billing, lawful intercept,
forensics).

A tap vendors take: http://www.networkcritical.com/What-are-Network-Taps

On a somewhat related note, I will mention that TNAPI from ntop is quite
handy. http://www.ntop.org/TNAPI.html

<http://www.networkcritical.com/What-are-Network-Taps>--D

Ricky_Beam · July 2, 2010, 12:50am

Tap manufactures will be sure to tell you of many issues.

Well, there are issues on both sides...

A true tap is an electronic mirror. It doesn't much care what the signal is; whatever it senses, it replicates. As the OP is talking about an aggrigating tap, he's already using a switch. I've used NetworkCritical, NetOptics, and several other "cheap" taps. None of them are even remotely cheap. That said, use an ethernet switch...

The main concern I would have is that it is possible for a switch to drop
frames of a SPAN. Your decision might be influenced based on your
application and the impact of such errors (billing, lawful intercept,
forensics).

Yes, a switch can drop traffic (inbound and out.) But so can a tap. And so can the thing listening to the tap.

At work I'm configuring an integrate Broadcom 10G switch (SoC) as a pure mirror. The ports wired to the system form a trunk group which is the destination for the mirror of the external ports. This is exactly what you'll find inside $$$$$ commercial multiport aggrigating "taps". (and btw, we've thrown over 1Mpps at it without issue; ~50% 64byte packets, the bane of any switch. (recorded) real world traffic, not some Spirent simulation.)

--Ricky