TAP versus SPAN (RSPAN) or VACL!
By: Tim O’Neill – The Oldcommguy®© CopyRight 2007 - 2022
Is using a SPAN port a viable data access technology for today’s business critical networks, especially with today’s ever increasing pressure to satisfy Data Security Compliance, Lawful Intercept and Deep Packet Inspection requirements? In today’s world we now have the GDPR requirements that “Require” 100% data inspection and retention! Plus, Deep Packet Inspection with Firewalls must have full visibility of every frame and part thereof!
So “REAL” TAPs both Electrical and Photonic are even more in demand!
Authors Note – This article goes back to the mid 1990’s when we at Network General needed a TAP to allow access to the network for our portable and distributed Sniffers for full visibility of the monitored networks. Working with Datacom Systems we invented the first Ethernet TAP (Test Access Point)in 1994. In the mid 1970’s I helped build the first RS-232, RS-449 and V.35 TAP’s to support the Telcom’s WAN data monitoring needs.
This article comes from all those experiences and wanting people to see all their data and not waste their time looking at a portion of their network through limited views of corrupted data.
SPAN cause time, sequence as well as loss packets (Randomly) which are not acceptable!
My hope is that this article does two things - one informs today's technologist the requirements for Real time, no loss view of their network as well as challenges them to always question and test their visibility access methods!
FYI - This article has been stolen by some companies who have put their name on it or removed my name and the origin from WWW.Lovemytool.com – now WWW.NetworkDataPedia.com .
I am not sure why as I have openly shared this since 2007, so I might suggest that one steers clear of unethical companies that do such things.
Full permission has been given to several companies to post this article and variants as long as the Author (me) and Copyright information are maintained!
SPAN or TAP - see why!
ABSTRACT - Network engineers and managers need to think about today’s compliance requirements and the limitations of conventional data access methods. This article is focused on TAPs versus port mirroring / SPAN and RSPAN technology.
SPAN is not all bad but one must be aware of its limitations and since managed switches are integral part of the infrastructure, one must be careful not to establish a failure point. Understanding what can be monitored is important for success since SPAN ports are often overused leading to drop frames, all due to the fact that LAN switches are designed to groom data (change timing, add delay) and extract bad frames as well as ignore all layer 1 & 2 information. Furthermore, typical implementations of SPAN ports cannot handle FDX monitoring and analysis of VLAN is also problematic.
Moreover, when dealing with Data Security Compliance, the combination of the facts that SPAN ports limit views, are not secure and transporting monitored traffic through the production network could prove itself to be unacceptable in the court of law.
SPAN is not acceptable for Deep Packet Inspection requirements as DPI requires 100% visibility of every bit, nibble, byte and octet in every frame from Flag to Flag!
When used within its limits and properly focused, SPAN is a valuable resource to managers and monitoring systems. However, for 100% guaranteed view of network traffic, a passive network TAP is a necessity for meeting many of today’s access requirements and as we approach larger deployments of 10 Gigabit and up, where SPAN access limitations will become more of an issue.
Until the early 1990’s, using a TAP or test access point from a switch patch panel was the only way to monitor a communications link. Most links were WAN so an adaptor like the V.35 adaptor from Network General or an access Balum for a LAN was the only way to access a network. Most LAN analyzers had to join the network to really monitor, like Token ring the monitor became an upstream, downstream part of the actual network.
As switches and routers developed, there came a technology we call SPAN ports or mirroring ports and now monitoring was off and running. Analyzers and monitors no longer had to be connected to the network; engineers would use the SPAN (mirror) port and direct packets from their switch or router to the test device for analysis.
SPAN generally stands for Switch Port for Analysis and was a great way to effortlessly and non-intrusively acquire data for analysis. By definition, a SPAN Port usually indicates the ability to copy traffic from any or all data ports to a single unused port but also usually disallows bidirectional traffic on that port to protect against backflow of traffic into the network.
Please note - ** Graphics are courtesy of George Bouchard and ProfiTAP!
Is SPAN port a passive technology – No!
Some call SPAN port a passive data access solution – but passive means “having no effect” and spanning (mirroring) does have measurable effect on the data.
First - Spanning or mirroring changes the timing of the frame interaction (what you see is not what you get),
Second - The spanning algorithm is not designed to be the primary focus or the main function of the device like switching or routing so the first priority is not spanning and if replicating a frame becomes an issue, the hardware will temporally drop the SPAN process,
Third - If the speed of the SPAN port becomes over loaded frames are dropped.
Fourth – Proper spanning requires that a network engineer configure the switches properly and this takes away from the more important tasks that network engineers have and many times configurations can become a political issue (constantly creating contention between the IT team, the security team and the compliance team).
Fifth – SPAN port drops all packets that are corrupt or those that are below the minimum size, so all frames are not passed on. All of these events can occur and no notification is sent to the user, so there is no guarantee that one will get all the data required for proper analysis.
In summary, the fact that SPAN port is not a truly passive data access technology or even entirely non-intrusive can be a problem particularly for Data Security Compliance monitoring or Lawful Intercept. Since there is no guarantee of absolute fidelity, it is possible or even likely that evidence gathered by this monitoring process will be challenged in the court of law.
Is SPAN port a scalable technology – No!
When we had only 10Mbps links and with a robust switch (like one from Cisco) one could almost guarantee they could see every packet going through the switch. With 10Mbps fully loaded at around 50% to 60% of the maximum bandwidth, the switch backplane could easily replicate every frame. Even with 100Mbps one could be somewhat successful at acquiring all the frames for analysis and monitoring and if a frame or two here and there were lost, it was no big problem.
This has all changed with Gigabit and 10 Gigabit technologies starting with the fact that maximum bandwidth is now twice the base bandwidth – so a Full Duplex (FDX) Gigabit link is now 2 Gigabits of data and a 10 Gigabit FDX link is now 20 Gigabits of potential data.
No switch or router can handle replicating/mirroring all this data plus handling its primary job of switching and routing. It is difficult if not impossible to pass all frames (good and bad one) including FDX traffic at full time rate, in real time at non blocking speeds.
Furthermore, to this FDX need we must also consider the VLAN complexity and finding the origin of a problem once the frames have been analyzed and a problem detected.
From Cisco’s own White Paper disclaimer– On SPAN port usability and using the SPAN port for LAN network analysis:
Cisco warns that “the switch treats SPAN data with a lower priority than regular port-to-port data.” In other words, if any resource under load must choose between passing normal traffic and SPAN data, the SPAN loses and the mirrored frames are arbitrarily discarded. This rule applies to preserving network traffic in any situation. For instance, when transporting remote SPAN (RSPAN) traffic through an Inter Switch Link (ISL), which shares the ISL bandwidth with regular network traffic, the network traffic takes priority. If there is not enough capacity for the remote SPAN traffic, the switch drops it. Knowing that the SPAN port arbitrarily drops traffic under specific load conditions, what strategy should users adopt so as not to miss frames? According to Cisco, “the best strategy is to make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations.” This also applies to timing issues as well!
Today’s “REAL” Data Access requirements
To add more complexity and challenges to SPAN port as a data access technology,
1) We have entered a much higher utilization environment with many times more frames in the network
2) We have moved from 10 Mbps to 100 Gbps Full Duplex and
3) We have entered into the era of Data Security Legal Compliance and Lawful Intercept which requires that we must monitor all of the data and not just “sample” the data, with the exception of certain very focused monitoring technologies (e.g., application performance monitoring).
These demands will continue to grow since we have become a very digitally focused society. With the advent of VoIP and digital video we now have revenue generating data that is connection oriented and sensitive to bandwidth, loss and delay. The older methods need reviewing and the aforementioned added complexity requires that we change some of the old habits to allow for “real” 100% Full Duplex real time access to the critical data.
In summary, being able to provide “real” access is not only important for Data Compliance Audits and Lawful Intercept events, it is the law (keeping our bosses out of jail has become very high priority these days).
When is SPAN port monitoring methodology “OK”?
Many monitoring products can and do successfully use SPAN as an access technology. Since they are looking for low bandwidth application layer events like “conversation analysis”, “application flows” and for access VoIP reports from Call managers, etc.
These monitoring requirements utilize a small amount of bandwidth and grooming does not effect the quality of the reports and statistics. The reason for their success is that they keep within the parameters and capability of the SPAN port capability and they do not need every frame for their successful reporting and analysis. In other words, SPAN port is a very usable technology if used correctly and the companies that use mirroring or SPAN are using it in a well managed and tested methodology.
There are four main Types of TAPs –
Breakout TAPs are the simplest type of TAPs. In their most basic form they have four ports. The network traffic travelling in one direction comes in port A and is sent back out port B unimpeded. Traffic coming from the other direction arrives in port B and is sent back out port A also unimpeded. The network segment does not “see” the TAP. At the same time the TAP sends a copy of all the traffic to monitoring ports C & D of the TAP. Traffic travelling from A to B in the network is sent to one monitoring port and the traffic from B to A is sent out the other, both going to the attached tool.
Aggregating TAPs provide the ability to take network traffic from multiple network segments and aggregate, or link bond, all of the data to one monitoring port. This is important because you can now use just one monitoring tool to see all of your network traffic. With the addition of filtering capability in the TAP you can further enhance your tools efficiency by only sending the data it needs to see.
Regeneration TAPs facilitate taking traffic from a single network segment and sending it to multiple ports. This allows you to take traffic from just one point in the network and send it to multiple tools. Therefore different teams in your company like Security, Compliance, or Network Troubleshooting can see all the data at the same time for their own requirements. No team contention over available network monitoring point availability.
Bypass TAPs With a bypass TAP you can place network devices like IPS/IDS, Data Leakage Prevention (DLP), Firewall, Content Filtering, and Security devices, that need to be installed inline, into the network but remove the risk of introducing a point of failure. With a bypass TAP, failure of the inline device, reboots, upgrades, or even removal and replacement of the device can be accomplished without taking down the network. In applications requiring inline tools Bypass taps save time, money and network downtime.
Please remember a TAP does NOT have any filtering nor does it alter the data flow, in time nor content also if a device has filtering or buffers it is NOT a TAP!
IMPORTANT: Make sure the TAP incorporates a failsafe feature. This will ensure that if the TAP were to lose power or fail, the network will not be brought down as a result.
Conclusion
Spanning (mirroring) technology is still viable for some limited situations but as one migrates to FDX Gigabit and 10 Gigabit networks and up and with the demands of seeing all frames for Data Security Compliance, Lawful Intercept and Deep Packet Inspection one must use “real” access (Taps) technology to fulfill the demands of today’s complex analysis and monitoring Requirements!
If the technology demands are not enough, the network engineers can focus their infrastructure equipment on switching and routing and not spend their valuable resources and time setting up SPAN/RSPAN ports or rerouting data access.
In summary, the advantages of Taps compared to SPAN ports are ...
• Taps do not alter the time relationships of frames – spacing and response times especially important with VoIP and Triple Play analysis including FDX analysis.
• Taps do not introduce any additional jitter or distortion which is important in VoIP / Video analysis.
• VLAN tags are not normally passed through the SPAN port so this can lead to false issues detected and difficulty in finding VLAN issues.
• Taps do not groom data nor filter out physical layer errored packets
• Short or large frames are not filtered
• Bad CRC frames are not filtered
• Taps do not drop packets regardless of the bandwidth
• Taps are not addressable network devices and therefore cannot be hacked
• Taps have no setups or command line issues so getting all the data is assured and saves users time.
• Taps are completely passive and do not cause any distortion even on FDX and full bandwidth networks. They are also fault tolerant.
• Taps do not care if the traffic is IPv4 or IPv6, it passes all traffic through.
A VACL as a monitoring and analysis access technology?
Since the above subjects have been covered in the referenced articles, I will now move on to explaining how the VACL from Cisco can be used, as an expensive, complex but limited data access technology.
VACL stands for VLAN Access Control List. The programming of a VACL is all line code and runs only on the latest models of Cisco Switches. I find this a very difficult and expensive application and quite aberrant to the actual design and network functionality of a core network device. None the less, some people think that it gives network milk to their analyzers. Most of the VACL followers still believe that SPAN access is acceptable for all network analysis and monitoring.
A VACL is defined by Cisco through many papers – for reference –
The VACL capability is available on 6000, 6500 and 7000 series Cisco switches
Cisco says “VACLs are primarily not designed to monitor traffic, but, with a wide range of capability to classify the traffic, the Capture Port feature was introduced so that network traffic analysis can become much simpler” Document ID: 89962 – This says it all.
More from Cisco - VACLs support only IP, IPX, and MAC-Layer traffic. VACLs applied to WAN interfaces support only IP traffic for VACL capture. VACLs do not support any V6 traffic or higher layers over L2. In a VACL there is NO ingress or egress differentiation, so you do not know the direction of the frames, a serious limitation of using a VACL for monitoring and analysis! Also – A VACL can send a lot of traffic to your monitoring tool on one port and that can easily over load the monitoring device and over load the VACL port causing dropped packets..etc.
The VACL is only for VLAN traffic and duplicate packets are possible.
When you configure a VACL and apply it to a VLAN, all packets that enter the VLAN are checked against this VACL. If you apply a VACL to the VLAN and an ACL to a routed interface in the VLAN, a packet that comes into the VLAN is first checked against the VACL and, if permitted, is then checked against the input ACL before it is handled by the routed interface. When the packet is routed to another VLAN, it is first checked against the output ACL that is applied to the routed interface, and, if permitted, the VACL configured for the destination VLAN is applied. If a VACL is configured for a packet type and a packet of that type does not match the VACL, the default action is deny.
These are the guidelines for the capture option in VACL.
· The capture port cannot be an ATM port.
· The capture port needs to be in the spanning-tree forwarding state for the VLAN.
· The switch has no restriction on the number of capture ports.
· The capture port captures only packets permitted by the configured ACL.
· Capture ports only transmit traffic that belongs to the capture port VLAN. Configure the capture port as a trunk that carries the required VLANs in order to capture traffic that goes to many VLANs.
Caution: Incorrect combination of ACLs (Access Control List) can disrupt the traffic flow. Exercise extra caution while you configure the ACLs in your device.
Note: There are several limitations of VSPAN usage for traffic analysis:
· All layer 2 traffic that flows in a VLAN is captured. This increases the amount of data to be analyzed.
· The number of SPAN sessions that can be configured on the Catalyst 6000 & 6500 Series Switches is limited.
· A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.
All of this checking and handing off, plus any congestion will certainly lead to incorrect timing and possibly lost or duplicated packets. Plus remember, this is just for VLANs and no bad frames will be counted or passed on to the analysis/monitoring tool.
You cannot disperse the filtering to accommodate lower bandwidth monitoring and analysis tools. The filtering is only for the lower layers and has very limited capability when compared to the entire new filter based data access devices.
So a VACL can be used to monitor VLANs but has limitations and to me the biggest limitation is getting it scripted correctly and this even lacks any verification capability. Another big issue for me is that a 6500 or 7000 switch, which is designed to get the proper data to the proper IP/Mac address costs from 40K to around $100K+ or more depending on the configuration. Is this the best use of your slim network dollars? With this level of $’s one could buy 2+, top of the line fully configured/loaded10G access solutions and 3-4 of the lesser versions. All this including complex CLI scripts with no debugging to make your switch a poor monitoring access technology? Please also consider that in high security environments a VACL may not be allowed as the VLAN lists are subject to DDoS/DoS, Flood and miscellaneous Jumping attacks and other layer 2 attacks. A VACL would not be allowed as the access technology for a CALEA warrant, in most cases.
People bring this up to me all the time as if they MUST support SPAN and thus VACL’s as acceptable access technology. I will no longer hear arguments on the virtues of RSPAN! A switch is for getting packets to your users, like a router is part for your infrastructure and I find it difficult to use a device made for one application to try to fulfill another and at the same time –It makes No Sense! It cannot be done as the NEED is for a method for real visualization – Total Visibility – you have to be the judge of this and responsible for using variable technology.
As long as one can afford this and live within the limitations and complexity, I say go for it. As long as you know the devil you are dealing with and you can live with what you are NOT getting/seeing is OK with you and your monitoring, security and analysis strategy.
Let’s hope your boss doesn’t know that money is being wasted with such limited access and visibility. Do Not Lie to yourself or your company if you do not know the effects on the accuracy of your setup and devices – Test it! Testing and full accurate comparison is the ONLY way to know the devil or angel you are dealing with and to understand the value and or problems it can present in your successful visualization strategy. Hey, testing is fun that is what engineers do, we design, build, test and redesign, retest etc...then deploy!
I strongly suggest that if one is a serious analyst and needs quality and accuracy in their Monitoring, Security, Compliance…etc activities, one should use a TAP as the access technology so you can connect advanced filtering technology to get incredible and accurate visibility into your network, applications..etc.
Remember GIGO – Garbage In - Garbage out ! With today’s requirements for data security, the ONLY REAL access technique must be a TAP or optical splitter. The new GDPR and DPI requirements are for full capture and total visibility thus SPAN, RSPAN, VACL’s do NOT meet the requirements!
I wish everyone Great Success and when looking at your data with a TAP you will see everything clearly and without distortion if you use a Quality TAP. DO NOT GO TO CHEAP – Quality is a TOP requirement, especially when one is in the Fiber Optic/Glass/Photonic arena!
The Oldcommguy®© 2007 through 2022 – ALL right reserved by original author Tim O'Neill