Re: SPANS Vs Taps

["Ricky Beam" <jfbeam () gmail com>]

On Thu, 01 Jul 2010 19:24:38 -0400, Darren Bolding <darren () bolding org>  
wrote:
> Tap manufactures will be sure to tell you of many issues.

Well, there are issues on both sides...

A true tap is an electronic mirror.  It doesn't much care what the signal  
is; whatever it senses, it replicates.  As the OP is talking about an  
aggrigating tap, he's already using a switch.  I've used NetworkCritical,  
NetOptics, and several other "cheap" taps.  None of them are even remotely  
cheap.  That said, use an ethernet switch...

> The main concern I would have is that it is possible for a switch to drop
> frames of a SPAN.  Your decision might be influenced based on your
> application and the impact of such errors (billing, lawful intercept,
> forensics).

Yes, a switch can drop traffic (inbound and out.)  But so can a tap.  And  
so can the thing listening to the tap.

At work I'm configuring an integrate Broadcom 10G switch (SoC) as a pure  
mirror.  The ports wired to the system form a trunk group which is the  
destination for the mirror of the external ports.  This is exactly what  
you'll find inside $$$$$ commercial multiport aggrigating "taps". (and  
btw, we've thrown over 1Mpps at it without issue; ~50% 64byte packets, the  
bane of any switch.  (recorded) real world traffic, not some Spirent  
simulation.)

--Ricky