What is the Network Tap and Network Packet Broker

When an Intrusion Detection System (IDS) device is deployed, the mirroring port on the switch in the information center of the peer party is not enough (for example, only one mirroring port is allowed, and the mirroring port has occupied other devices).

At this time, when we do not add many mirroring ports, we can use the network replication, aggregation and forwarding device to distribute the same amount of mirroring data to our device.

What is the Network TAP?

Maybe you first heard the name TAP switch. TAP (Terminal Access Point), also known as NPB (Network Packet Broker), or Tap Aggregator?

The core function of TAP is to set up between the mirroring port on the production network and an analysis device cluster. The TAP collects the mirrored or separated traffic from one or more production network devices and distributes the traffic to one or more data analysis devices.

Mylinking Out-of-Band Application

Common Network TAP network deployment scenarios

Network Tap has obvious labels, such as:

Independent Hardware

TAP is a separate piece of hardware that does not affect the load on existing network devices, which is one of the advantages over port mirroring.

ML-TAP-2810 Network TapSwitch?

ML-NPB-5410+ Network Packet BrokerNetwork Tap?

Network Transparent

After the TAP is connected to the network, all other devices on the network are not affected. To them, the TAP is transparent as air, and the monitoring devices connected to the TAP are transparent to the network as a whole.

TAP is just like Port Mirroring on a switch. So why deploy a separate TAP? Let's look at some of the differences between Network TAP and Network Port Mirroring in turn.

Difference 1: Network TAP is easier to configure than port mirroring

Port mirroring needs to be configured on the switch. If the monitoring needs to be adjusted, the switch needs to be reconfigured ALL. However, the TAP only needs to be adjusted where it requested, which has no impact on existing network devices.

Difference 2: Network TAP does not affect network performance relative to port mirroring

Port mirroring on the switch deteriorates the performance of the switch and affects the switching capability. In particular, if the switch is connected to a network in series as inline, the forwarding capability of the entire network is severely affected. TAP is an independent hardware and does not impair device performance due to traffic mirroring. Therefore, it has no impact on the load of existing network devices, which has great advantages over port mirroring.

Difference 3: Network TAP provides more complete traffic process than port mirroring replication

Port mirroring cannot ensure that all traffic can be obtained because the switch port itself will filter some error packets or too small size packets. However, the TAP ensures data integrity because it is a complete "replication" at the physical layer.

Difference 4: The forwarding delay of TAP is smaller than that of Port Mirroring

On some low-end switches, port mirroring may introduce latency when copying traffic to mirroring ports, as well as when copying 10/100m ports to Giga Ethernet ports.

Although this is widely documented, we believe that the latter two analyses lack some strong technical support.

So, in what general situation, we need to use TAP for network traffic distribution? Simply, if you have the following requirements, then the Network TAP is your best choice.

Network TAP Technologies

Listen to the above, feel the TAP network shunt is really a magical device, the current market common TAP shunt using the underlying architecture of roughly three categories:

FPGA

- High performance

- Difficult to develop

- High cost

MIPS

- Flexible and convenient

- Moderate development difficulty

- Mainstream vendors RMI and Cavium stopped development and failed later

ASIC

- High performance

- Expansion function development is difficult, mainly due to the limitations of the chip itself

- The interface and specifications are limited by the chip itself, resulting in poor expansion performance

Therefore, the high density and high speed Network TAP seen in the market has a lot of room for improvement in flexibility in practical use. TAP network shunters are used for protocol conversion, data collection, data shunting, data mirroring, and traffic filtering. The main common port types include 100G, 40G, 10G, 2.5G POS, GE, etc. Due to the gradual withdrawal of SDH products, current Network TAP shunters are mostly used in the all-Ethernet network environment.


Post time: May-25-2022