TAP vs. SPAN: Why Network TAPs Are Preferred Over SPAN Ports
In today’s modern, high-speed networks, network TAPs are the recommended choice. Here’s why:
1. TAPs create an exact copy of the bi-directional network traffic at full line rate, providing full fidelity for network monitoring, analytics and security.
2. Passive TAPs provide continuous access to traffic and require no user intervention or configuration once installed — a true set-and-forget solution.
3. SPAN ports are easily oversubscribed, resulting in dropped packets and leading to unsatisfactory or inconsistent results for monitoring and security purposes.
4. SPAN traffic has the lowest priority when it comes to forwarding and may not achieve full line rate. In some situations, low priority can cause packet drop even on a SPAN port operating at single-digit utilization.
5. The SPAN application can have a negative performance impact on the switch itself, sometimes affecting network traffic.
6. Because SPAN traffic is easily reconfigured, SPAN output can change from day to day or hour to hour — resulting in inconsistent reporting.
7. Legal regulations or corporate compliance sometimes mandate that all traffic for a particular segment be monitored. This can only be guaranteed with a TAP.
8. Incorrectly configured SPAN ports have been known to impact network performance or even cause network outages.
9. SPAN ports are limited in number compared to the number of ports that may require monitoring, and they consume ports that could otherwise be carrying production traffic.
10. TAPs don’t care what protocol is carried in the traffic or if it is IPv4 or IPv6. All traffic is passed through a passive TAP, including packets with errors. Active TAPs typically block errors but forward everything else.
The bottom line is TAPs should be used wherever 100 percent visibility and traffic fidelity is required. Anytime traffic volumes are moderate to high, deploy network TAPs. As a best practice, install TAPs during the early design phase and pass the traffic directly to a Gigamon visibility node. Even if the traffic is not yet required for daily inspection, it will be available for ad hoc troubleshooting or security inspection within seconds and without needing to involve change management.