Advantages and features
Older network technologies tended to be shared. Connecting a monitoring device to a shared network segment (i.e., piece of a network) was very easy -- just connect the monitoring device as you would any other host, and enable promiscuous mode. Modern network technologies tend to be switched, meaning that devices are connected using point-to-point links. If a monitoring device is connected to such a network, it will only see its own traffic. The network TAP allows the monitoring device to view the contents of a point-to-point link.
Modern network technologies are often full-duplex, meaning that data can travel in both directions at the same time. If a network link allows 100 Mbit/s of data to flow in each direction at the same time, this means that the network really allows 200 Mbit/s of aggregate throughput. This can present a problem for monitoring technologies if they have only one monitor port. Therefore, network TAPs for full-duplex technologies usually have two monitor ports, one for each half of the connection. The listener must use channel bonding or link aggregation to merge the two connections into one aggregate interface to see both halves of the traffic. Other monitoring technologies do not deal well with the full-duplex problem.
Once a network TAP is in place, the network can be monitored without interfering with the network itself. Other network monitoring solutions require in-band changes to network devices, which means that monitoring can impact the devices being monitored.
Once a TAP is in place, a monitoring device can be connected to it as-needed without impacting the monitored network.
Some TAPs have multiple output ports, or multiple pairs of output ports for full-duplex, to allow more than one device to monitor the network at the TAP point. These are often called regeneration TAPs.
A passive fiber optic tap.Some TAPs, particularly fiber TAPs, can use no power and no electronics at all for the pass-through and monitor portion of the network traffic. This means that the TAP should never suffer any kind of electronics failure or power failure that results in a loss of network connectivity. One way this can work, for fiber-based network technologies, is that the TAP divides the incoming light using a simple physical apparatus into two outputs, one for the pass-through, one for the monitor. This can be called a passive TAP. Other TAPs use no power or electronics for the pass-through, but do use power and electronics for the monitor port. These can also be referred to as passive.
Some TAPs operate at the physical layer of the OSI model rather than the data link layer. For example, they work with multi-mode fiber rather than 1000BASE-SX. This means that they can work with most data link network technologies that use that physical media, such as ATM and some forms of Ethernet. Network TAPs that act as simple optical splitters, sometimes called passive TAPs (although that term is not used consistently) can have this property.
Some network TAPs offer both duplication of network traffic for monitoring devices and SNMP services. Most major network TAP manufacturers offer TAPs with remote management through Telnet, HTTP, or SNMP interfaces. Such network TAP hybrids can be helpful to network managers who wish to view baseline performance statistics without diverting existing tools. Alternately, SNMP alarms generated by managed TAPs can alert network managers to link conditions that merit examination by analyzers to intrusion detection systems.
Some TAPs get some of their power (i.e., for the pass-through) or all of their power (i.e., for both pass-through and monitor) from the network itself. These can be referred to as having inline power.
Some TAPs can also reproduce low-level network errors, such as short frames, bad CRC or corrupted data.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment