Network visibility and monitoring is critical to understanding how our network monitoring tools are performing. In today’s economy performance equates to dollars; having real-time visibility allows for quick troubleshooting and reduced mean time to resolution (MTTR).

Feeding the Flowmon solution, whether it's DDoS, network performance or application performance is a key component to ensure your investment receives all the data - every bit, byte and packet®. After all, you can’t monitor, what you can’t see.

Today, let’s talk about how Aggregation network test access points (TAPs) provide 100% visibility to your live network data.

Aggregation/regeneration network TAPs are used to capture 100% full duplex network traffic; the traffic can then be sent to multiple monitoring appliances  to analyze your network. Aggregation TAPs support breakout and regeneration/SPAN modes as well.

How Aggreagtion TAPs Work

With a simple, full duplex link (shown above) between a network router and a network switch:

Attach an Aggregating TAP to the link that connects them. 

Disconnect the cable that attaches the router to the switch from the switch end.

Connect the switch end of the cable to port A on the Aggregating TAP (no power has been applied to the TAP at this point). 

Take another cable and connect one end to the port B of the TAP and the other end to the connection on the switch that was previously disconnected. 

Now, with no power applied to the TAP, the TAP will reestablish the link and traffic flows again between the two devices. This happens because power has not been applied to the TAP, there will not be any traffic flowing out of ports C or D.

Now apply power to the TAP, the traffic flowing from the router to the switch through ports A and B, will also be applied to port C and to port D; the traffic flowing from the switch to the router will also be applied to port C and port D (see below, Figure 2).

Aggregating TAP Captures Full Traffic in Both Directions

Figure 2 shows how the network traffic will flow between the two end devices and the monitoring ports. The monitor ports C and D will each receive all of the traffic on the link. The benefit is that now you can use an analyzer that has only one NIC and get to see all the traffic on the link. Another benefit is that to send all the traffic out to another monitoring tool, like a the Flowmon APM or DDoS appliances.

Figure 2: Aggregating TAP Captures Full Traffic in Both Directions

There is one area of caution when you aggregate the traffic on a full duplex link, and that is the oversubscription of the monitor port. For example, if the link is a 1G link, then there is a possibility that each side of the link (send and receive) could have up to 1G of traffic. When you aggregate the traffic, you could effectively have up to 2G of traffic going out to the monitor port.  Whenever you are considering using aggregating network TAPs, make sure the link is not carrying heavy traffic.

Traffic Flow When TAP Loses Power

The Aggregating mode of a TAP maintains the same safety feature as the Breakout mode. If the TAP were to lose power for any reason, the link will continue to flow with minimum interruption based on IEEE Standards (Figure 3). If the media is fiber or copper at 10/100Mbps, there is no interruption.

Figure 3: Traffic Flow When TAP Loses Power​

The original post of this article is from Garland Technology’s The 101 Network TAP blog series.