Understanding

Network TAPs
The First Step to Visibility
Introduction
A network TAP is a simple device that connects
directly to the cabling infrastructure to split or copy
packets for use in analysis, security or general network
management. Although the term “Tap” predates the
networking industry by decades, the IT industry has
generally adopted the term to mean Test Access Point.
Thus, TAP is considered an acronym. This paper covers:

+  Background
+  TAP vs. SPAN
+  Network TAPs Overview
+  Types of TAPs and How They Work
• Passive TAPs

° Optical Splitter Types

° Specialized 40Gb BiDi TAP
° Split Ratios
° Optical Speeds and Types
° Power Budgets and Light Loss
• Active TAPs
• Other TAPs

° Bypass Technology
° Aggregation TAP vs. Aggregation Node
° Standalone vs. Embedded TAPs
+  10GBASE-T
+  TAP Best Practices
+  Summary

WHITEPAPER
WHITE PAPER || UNDERSTANDING NETWORK TAPS
NAME OF WHITE PAPER 02
 Background

The heart of networking relies on a common set of

communication protocols. Simple interconnections
work regardless of the information passed in the
payload. The brilliant simplicity of the system has
evolved into a worldwide internet, enabling a huge
array of applications, including everything from
online banking to international telephone calls.

However, this same simplicity also creates

complications.

Since every package looks the same from the

outside, how do you know if a packet (or frame)
contains the correct information? Did a specific
banking transaction or an online sale close for
the correct amount? Was a healthcare record
properly filed according to compliance and tracking
regulations? Was a client properly authorized to
access a database?

Proper analysis of any of the above situations

requires visibility into the actual packets running
on the wire. All information passed resides in the
packets. Of the hundreds of analysis tools available,
most rely on packet information. As such, network
monitoring and IT security have become a key
component of every industry.

WHITEPAPER | UNDERSTANDING NETWORK TAPS 03

TAP vs. SPAN a remote location may not be able to justify a
permanent TAP, but has SPAN access for occasional
troubleshooting needs since a SPAN can be added
without bringing down a link. There are also speed
There are two common methods to extract or interface types for which a SPAN may be the only
traffic directly from the system: TAPs and SPANs. option. So a combination of TAP and SPAN usage is
A network TAP is a hardware component that fairly common. To quote a networking axiom: TAP
connects into the cabling infrastructure to copy where you can, SPAN where you can’t.
packets for monitoring purposes. A SPAN (Switch
Port ANalyzer) is a software function of a switch
or router that duplicates traffic from incoming or
outgoing ports and forwards the copied traffic to
a special SPAN (or sometimes called mirror) port.
Network TAPs Overview
In general, network TAPs are preferred over SPAN
ports for the following reasons:
Since a network TAP provides the most effective
means to copy actual traffic running across a
+  SPAN ports are easily oversubscribed and have
system, the remainder of this paper is dedicated
the lowest priority when it comes to forwarding,
to TAP types, usage and functionality. It should
which results in dropped packets
be noted that TAPs are available for a wide variety
+  The SPAN application is processor-intensive and of network speeds and cable types. Instead of
can have a negative performance impact on the two switches or routers connecting directly to
switch itself, possibly affecting network traffic each other, the network TAP sits between the two
+  Because SPAN traffic is easily reconfigured, endpoint devices connected directly to each of
SPAN output can change from day to day, them. Then traffic is seen and copied, providing
resulting in inconsistent reporting visibility into the networked traffic. See Figure 1.

However, there are some situations where inserting TAPs are straightforward devices that run for years
a TAP is not practical. For example, traffic could and are generally placed in secured locations. Once
be running on a physical infrastructure outside the traffic is tapped, the copy can be used for any
your direct control, or maintenance windows may sort of monitoring, security, or analytical use. Thus,
not allow for timely TAP deployments.
Direct Cabling Perhaps TAPs are a key component of any visibility system.
Cabling with TAP

Router Router Router Router

Network TAP

Direct Cabling
Cabling with TAP

Router Router Router Router

Network TAP

Figure 1: Direct cabling vs. TAP cabling

WHITEPAPER | UNDERSTANDING NETWORK TAPS 04

Types of Network TAPs and How They Work

There are many different types of TAPs. The two Optical fiber sends light from a transceiver through
primary types of network TAPs are: a thin glass cable to a receiver on the other end.
Instead of connecting directly to each other, each of
+  Passive TAPs the two endpoint nodes (switches, routers, database,
etc) are connected to network ports on the TAP.
+  Active TAPs
These special ports are physically wired in pairs such
that traffic continually passes through them. In
addition to the network ports are monitoring ports.
Passive TAPs The monitoring ports send out complete copies of
the traffic seen, as shown in Figure 2.

A passive TAP requires no power of its own and

does not actively interact with other components
Switch X Switch Y Monitor
of the network. It uses an optical splitter to create
RX TX RX TX TXX TXY
a copy of the signal and is sometimes referred to
as a “photonic” TAP. Most passive TAPs have no External Fiber
moving parts, are highly reliable and do not
require configuration.

X Y X OUT Y
OUT IN OUT IN OUT

A TYPICAL TAP INSTALLATION INVOLVES:

Internal Fiber
1. Placing the TAP on a shelf or in a rack
2. Connecting the cables
3. Verifying everything is working

Splitter

Figure 2: TAP diagram showing logical flow

It is really that simple. If the TAP fails to work, there
is probably a cabling issue or a bad connection.
Do be aware that installing or replacing a TAP in
Unlike network ports with both TX (transmit) and RX
an existing environment does bring down the
(receive) traffic, monitoring ports are unidirectional
link while the cables are reconnected. So TAP
and only send traffic. They have no ability to receive
installations are typically scheduled during
traffic and never pass traffic back into the system.
pre-defined maintenance windows, or during
You will notice there are two monitoring ports in the
the network architecture design phase, prior to
diagram. Since each network port both sends and
running live traffic.
receives traffic, a 10Gb link could have 20Gb running
across it. If all this traffic were put into one monitor
cable, the link could quickly be oversubscribed. By
running two separate monitor links, oversubscription
is eliminated. The monitored traffic is thus separated
into two transmit (TX-only) signals, one copy from
endpoint A (Switch X) and one copy from endpoint B
(Switch Y).

WHITEPAPER | UNDERSTANDING NETWORK TAPS 05

As depicted in Figure 2, a passive network optical tends to have a lower loss rate when working with
TAP leverages a simple internal design. The external high-speed links, such as 100Gb where hot spots
connectors lead to sets of glass fibers, splitters tend to occur due to uneven light distribution
and more glass fibers leading back to the external across the fiber. The FBT slice sees only the portion
connectors. Each splitter has one fiber coming in of the light where it is fused. Thin Film is more
and two going out. evenly distributed because it sees the reflected light
across the entire diameter of the cable.

OPTICAL SPLITTER TYPES

Layer thickness
Internal to the TAP, between the network port
pairs, lies a small piece of hardware called an
optical splitter. The splitter does exactly as the
Reflected light
name implies; it splits an optical stream into two
paths. A portion of the light continues onto its Angle α
original destination; the second path is directed to a
monitor port.
λ
Wavelength
A traditional method to split the light is to fuse (or
melt) two cables together such that a portion of the
light is funneled off to the secondary stream. This Figure 4: Thin Film splitter technology

technology is called Fused Biconical Taper (FBT)

and is shown in Figure 3. The concept is similar
to when a river hits a fork. A portion of the water SPECIALIZED 40GB BIDI TAP
continues in the original direction while the rest
takes an alternative path. Both forks of the river Thin Film is also preferred for TAP bidirectional
continue to flow downstream. Like water, light is links, such as 40Gb Cisco BiDi, because multiple
also directional. As a result, the FBT tends to pass wavelengths can be reflected simultaneously to
the traffic one way. FBTs tend to be low cost and break out each lambda (or wavelength) of light.
work well for lower-speed cable plants. Cisco BiDi leverages 40Gb technology using
standard LC-based cabling to minimize the overall
costs of deploying 40Gb links. This is a growing
trend, especially with regard to Cisco leaf/spine
configurations. See Figure 5 for an example of
Fibers thermally fused how reflective technology is used within this
highly-specialized passive TAP.

2 3
Tx850 Tx850
Figure 3: Fused Biconical Taper (FBT) Y
Rx900 Rx900
Rx850 LIVE A LIVE B Rx850
X
Tx900 Tx900
1 4

A second splitter type uses Thin Film technology.

850nm (50%)

900nm (50%)

850nm (50%)

900nm (50%)

The concept here is similar to shining a flashlight

OUT B
OUT A

through a clear glass window. Although the

majority of the light continues through the window,
6 5 8 7
a portion of the light is reflected back as it hits
the glass. If angled properly, a semipermeable
Tx850

Tx900

Tx850

Tx900

membrane cutting across the fiber will copy a

portion of the optical signal to the monitor port, as
shown in Figure 4. Thin Film’s reflective technology

Figure 5: Thin Film used in a bidirectional implementation

WHITEPAPER | UNDERSTANDING NETWORK TAPS 06

SPLIT RATIOS OPTICAL SPEEDS AND TYPES

Regardless of the method used, the passive splitter Fiber TAPs are available for a wide variety of
physically diverts a portion of the light from its speeds and cable types. Most networks rely on
original source. The proportional share of light for IEEE 802.x standard-based optical cables. Speed
each path is known as the split ration. The split ratio is shown in gigabits per second or Gbps. However,
is written as a combination of two percentages. it is commonly shortened to Gb or G. The most
The first number is designated as the network common speeds in use today are 1Gb, 10Gb and
percentage, the second number is the monitor 40Gb, but the trend is quickly moving toward
percentage. They always add up to 100 percent. For higher speed networks of 100Gb. Speeds of 400Gb
example, a common split ratio for traditional 1Gb are on the horizon, and expected to be available
short-range links is 70/30; where seventy percent in the next few years. Since different transceiver
of the light continues to the network and thirty technologies are leveraged for each speed, passive
percent is allocated to the monitor port. fiber TAPs do not change speeds midstream. If
traffic is coming in at 10Gb with a wavelength of
The concept is to allocate more light to the network 1550nm, the traffic after the split has the same
to reduce the risk of dropping network traffic. speed and wavelength.
Speeds such as 10Gb, 40Gb and 100Gb have
different technical requirements and tend to use For best results, cable types should be consistent
more of an even split ratio such as 50/50 or 60/40. across the flow. Match the cables to the need.
The most common split ratio deployed in networks In general, there are two major categories of
today tends to be 50/50, provided the proper light fiber cable:
levels are available. When light levels are marginal,
the safe option is to move to better optics offering +  Multimode
higher safety margins.
+  Singlemode
Gigamon tests every TAP manufactured and
provides the actual tested loss values with each
Gigamon-branded TAP shipped. In addition,
Gigamon data sheets for TAPs describe the
maximum acceptable network and monitor loss
values (including connections) for each split ratio
are as follows:

Multimode Passive TAPs

Split ratio 50/50 60/40 70/30

Max network loss 3.9dB 3.15dB 2.2dB

Max monitor loss 3.9dB 5.15dB 6.2dB

Singlemode Passive TAPs

Split ratio 50/50 60/40 70/30

Max network loss 3.7dB 3.05dB 2.0dB

Max monitor loss 3.7dB 4.95dB 6.1dB

Figure 6: Gigamon published maximum loss (which includes connections) charts for various split ratios

WHITEPAPER | UNDERSTANDING NETWORK TAPS 07

 Shorter distance links often run over multimode
cable, while longer distance connections tend
to use singlemode cable. The main difference
between the two is multimode has a larger core
diameter (up to 62.5μm), which allows for a
broader dispersion of light. This permits lower-cost,
LED-based optical transmitters to be used, keeping
the overall cost down.

Since the light is dispersed across multiple modes

on a larger core, the light has a tendency to
bounce around a lot while it is traveling through
the cable. Since different modes travel different
lengths, the signals arrive at different times, making
it difficult to distinguish one pulse from another.
This leads to higher attenuation, or loss of signal,
as the light travels down its path. Because of this,
multimode is only rated for shorter runs of up
to a couple hundred meters, depending on the
cable type. It should be noted that the larger, core
multimode cabling (62.5μm) should only be used
for 1Gb and below.

Core

Cladding

Multimode

Core

Cladding

Singlemode

Figure 7: Multimode and singlemode cables

WHITEPAPER | UNDERSTANDING NETWORK TAPS 08

Singlemode fiber runs at higher bandwidths The optical Power Budget is the difference between
over smaller cores. This requires higher precision the Transmitter Power output and the Receiver
instrumentation and higher priced laser diodes to Sensitivity as shown in Figure 8. All passive TAPs
transmit the signal. Vertical-Cavity Surface-Emitting divert a portion of the light without boosting the
Lasers (VCSELs) are small flat emitters commonly signal. So it is important to understand how much
used for short and medium distances. Longer loss is incurred to preserve proper light margins.
distances such as 40km and beyond require more It is also critical to recognize that the devices
precise (and higher-temperature) Fabry-Perot transmitting and receiving the light are completely
lasers. Figure 8 depicts common cable types. external to the TAP and all have their own degrees
of variance. Most optic vendors provide specific
POWER BUDGETS AND LIGHT LOSS power and receiver sensitivity information about
their products, which may vary significantly
When you look to the night sky you see stars. from the industry specifications. In many cases,
However, there are many stars the eye cannot see. the actual numbers are much better than those
Light is obstructed by clouds or pollution. It is also shown in the Institute of Electrical and Electronic
dependent on the brightness (or power) generated Engineers (IEEE) Standards 802.3 documents.
by the star itself and the sensitivity of your eyes.
Unlike starlight that has traveled billions of miles Within a cable infrastructure it is important to
in a relatively straight line through the vacuum understand what components can negatively
of space to your eye; the lowpowered light in an affect the light as it travels from one point to
optical cable is bouncing off the walls of the cable another. Some degradation, such as attenuation, is
shielding and must transfer through multiple simple math and cannot be avoided. These types
connections which all inflict light loss. As a result, of degradation tend to be linear and relatively
cable light levels degrade fairly quickly. small compared to other loss factors, such as dirty
connections, poor splices or mixing cable types,
Optical power loss of fiber optic cable is measured that can have a serious loss impact and should
in decibels (dB). A quality light source is required for be avoided. Handheld Optical Time-Domain
the receiving end to properly understand the signal. Reflectometer (OTDR) devices are available to test
If the signal is too weak, the message will not be cable plants by injecting a series of optical pulses
properly interpreted and packets will be dropped. and then measuring light as it is reflected back from
points along the fiber. Although these are often
used for troubleshooting, they can quickly validate
some of your calculations.

Cable Type Diameter (μm) Color Connector Typical Usage

OM1 Multimode 62.5/125 Slate LC FE/1Gb/10Gb

OM2 Multimode 50/125 Orange LC FE/1Gb/10Gb

OM3/OM4 Multimode 50/125 Aqua LC/MPO FE/1Gb/10Gb/40Gb/100Gb

OS1/OS2 Singlemode 9 Yellow LC FE/1Gb/10Gb

Cat 5e/Cat 6A Copper/twisted pair N/A Various RJ45 FE/1Gb

Figure 8: Common cable types

WHITEPAPER | UNDERSTANDING NETWORK TAPS 09

 (a)
Transmitted Power
(b)
Cable Attenuation

Power Budget
(c)

Power
(d)
Connection Loss

Margin
Receiver Sensitivity (e)

Distance

Figure 9: Theoretical loss chart

The above chart shows the assumed loss associated Plugging in the worst-case numbers into the
between two endpoints with a transmitter at one original equations, we would come to the
end and a receiver at the other with two connectors following conclusions:
(at each end). The following formulas may be used:
Power Budget = (-9.5) – (-17) = 7.5dBm
Power Budget = Transmitter Power – Receiver Cable Attenuation (10 meters) = 3.5/100 = .035dB
Sensitivity = a – e Connection loss = .5 x 2 connectors = 1dB
Cable Attenuation = Decrease in signal strength Total Cable Plant Loss = Cable attenuation +
due to absorption and scattering per kilometer of a Connection loss = .035 + 1 = 1.035
given cable type = b – c Power Margin = 7.5 – 1.035 = 6.465
Connection Loss = Signal degradation due to
connectors in the system = (a - b) + (c - d) Thus with a Power Margin of 6.465 dB, a TAP will fit
Total Cable Plant Loss = Cable Attenuation + nicely into this network. The TAP with the highest
Connection loss = (a – b) + (b – c) + (c – d) Maximum Loss in Figure 6 is 6.2 db (including
Power Margin = Additional power that could be connections to the TAP). So there is ample margin
consumed while still providing a valuable signal = to insert a 50/50, 60/40, or 70/30 split ratio TAP into
Power Budget – Total Cable Plant Loss this environment.

Whenever possible, it is best to run the calculations However, the user should be aware that all
using the actual numbers from the transceivers environments are different. The 1Gb example
and cables in use. An alternative method is to take shown above provides for a much larger margin
the worst-case scenario and plug in the minimum than higher-speed optics such as 10Gb, 40Gb and
numbers as established in the IEEE specifications. If 100Gb. As an example, the entire power budget
we were to pull numbers for a 10 meter run of OM2 allocated for some short-range 40Gb transceivers
multimode fiber running 1Gb (according to IEEE is less than 2 dBm. Best practices dictates running
802.3-2012 section 3 specifications) we would find: the numbers for each installation. As a general rule,
Gigamon does not recommend using a 70/30 split
1000BASE-SX Transceiver Average Launch Power ratio for 10Gb multimode infrastructures as the light
(Min) = -9.5dBm margins are too low for the monitored traffic.
1000BASE-SX Receiver Sensitivity = -17dBM
Attenuation rates of multimode cable (for 10
meters) = 3.5dB/Km = .035dB/10m
Connection loss of multimode connectors = .5dB

WHITEPAPER | UNDERSTANDING NETWORK TAPS 10

To quickly summarize light calculations determining TAPs will offer additional failover capabilities. For
passive TAP placements, there are four primary example, when certain active copper TAPs lose power,
considerations that come into play: electromagnetic relays fall into place to physically
close a link to allow traffic to continue flowing through
1. Transmit power (the starting light signal) the network. The monitoring traffic stops, but at least
2. Receiver sensitivity (residual light seen at the the network traffic is protected. Do be aware that
other end) when the relay closes, a renegotiation takes place so
3. Light loss within the cable plant (prior to a few packets would be affected. TCP transmissions
TAP insertion) would normally accommodate for the loss, but be
4. Impact of the TAP (the actual TAP signal loss) aware higher speed networks are more susceptible to
routing table changes and other effects.

Active TAPs
G-TAP® A-TX

Active TAPs are not passive. They require their own Batt
Pwr

power source to regenerate the signals. There is no

split ratio consideration because the TAP receives the Main
Mgm t (PoE)
PoE
A B A B
Pwr Console Pwr Networ k Monitor/Tool
message and then retransmits it to both the network
and monitoring destinations. From a highlevel
perspective this would appear to be a positive Figure 10: An example of a G-TAP® ATX always-on active copper
TAP providing multiple power options, battery backup and
feature. Even so, passive TAPs are preferred. During
failover capabilities
a power outage, an active TAP cannot regenerate
the signal, so it becomes a point of failure. Since a
passive TAP is not powered, it would be unaffected
during a power outage and the packets (originating Other TAPs
from a source that still has power) would continue
to flow. Some active TAPs do incorporate bypass or BYPASS TECHNOLOGY
failover technologies to mitigate this issue, but more
on that toward the end of this section. Bypass technology is the ability to take an active
flow of traffic and quickly reroute the flow to
When are active TAPs preferred? Active TAPs are “bypass” a particular process. From a hardware
commonly used for the following applications perspective, bypass technology is a derivative of a
where passive TAPs are not a good alternative: TAP. It uses similar port pair interconnections as a
TAP to provide link protection capabilities typically
1. Locations where the light levels are too low to use for security-based inline tools.
a splitter → regeneration provides a viable solution
2. Copper infrastructures → where electricity is used An inline tool passes live traffic directly through a tool
to move electrons (instead of photons) to process the live traffic before it is forwarded on to
3. Signal conversions → since an active TAP its final destination. Unlike most out-of-band analysis
regenerates the signal anyway, it can also be tools that never affect live traffic, an inline tool, such
designed to create a signal of a different type as Intrusion Prevention Systems (IPS), can drop or
(such as 10Gb SR converted to 10Gb LR) even add packets into the production network. Since
4. SFP-based links that cannot otherwise be it is running as an inline application, a tool failure
broken (such as TwinAX cabling) → regeneration could be devastating and bring down the entire
works here as well system. Bypass technology was designed to protect
this from happening. These tools can bypass a tool
As long as the drawbacks of power failure are fully that enters into a degraded or down state. This could
understood, active TAPs provide excellent value and be due to power failure or even oversubscription. The
extend visibility to sections of the network that would bypass device will continually monitor the tool by
otherwise go unmonitored. Sophisticated active issuing heartbeats. If a heartbeat does not properly
TAPs offer battery backup to extend usage during pass through the tool, the device will automatically
power failures. When the battery begins to die, some close a link, forming a bypass connection.

WHITEPAPER | UNDERSTANDING NETWORK TAPS 11

AGGREGATION TAP VS. AGGREGATION NODE STANDALONE VS. EMBEDDED TAPS

As described earlier in this paper, one of the TAP technology has traditionally been deployed
benefits of a TAP is having separate monitoring as standalone devices, remotely distributed across
ports for ingress and egress. There are, however, the network wherever traffic needs to be seen. The
some TAPs that combine both feeds into a single monitoring ports can either connect directly to the
monitoring port. This is sometimes called an analysis tool, or to the visibility nodes to efficiently
aggregation TAP. The benefit is it reduces the filter and distribute traffic among multiple tools.
number of monitoring ports, but the drawback A growing trend is to deploy the TAP hardware as
is the risk of oversubscription and dropped an embedded module within a visibility node. One
packets. As such, these devices are not commonly major physical difference between standalone
recommended. If links are running at low utilization TAPs and embedded TAPs is the exposed ports.
(<5-10%), a better option is to combine edge traffic Standalone TAPs have ports for both network and
from multiple TAPs by use of an aggregation node. monitoring connections, while embedded TAPs
These devices like the Gigamon GigaVUE-TA Series only expose the network ports. The monitoring
offer filtering rules to aggregate traffic prior to ports are connected directly to the backplane of
sending traffic to more intelligent components of the system and routed accordingly. This simplifies
the Visibility Platform. the cabling infrastructure and enhances
operational efficiencies. Since there are no open
monitoring ports, it is impossible to arbitrarily
connect a Sniffer or other capture device without
proper configuration. Thus it provides for a more
secured environment.

WHITE PAPER | UNDERSTANDING NETWORK TAPS 12

10GBASE-T

10GBASE-T is an Ethernet technology designed to

deliver 10Gbps rates over short-reach copper pairs.
It is mainly used in top-of-rack switches, servers or
appliances in a data center to drive down the cost of
infrastructure and connectivity. Current 10GBASE-T
SFP+ transceivers exceed the maximum power
dissipation requirement in the SFP+ specification
(SFF-8431). Additionally, because of the high
speed of 10Gbps and associated noise on a copper
link, such links are not conducive for TAPing.
Recommended options in such situations are:

+  Best option: Do not use 10GBASE-T if TAPing is

required – use a 10G Short-Reach (SR) interface
instead, which can be readily TAPed

+  Alternative option 1: Use a SPAN/port mirror on

the switch hosting the 10GBASE-T link. Be aware
of the limitations of SPAN sessions when using
this option, as explained in the “TAP vs. SPAN”
section above

+  Alternative option 2: Use back-to-back media

converters with a TAP or port pair, noting this
has no fail-to-wire. Note that as the 10GBASE-T
PHY performs significant signal processing,
this adds considerably more latency than the
corresponding 10G optical PHY would. For
latency sensitive applications, the impact of
the two media converters needs to be taken
into account

WHITE PAPER | UNDERSTANDING NETWORK TAPS 13

TAP Best Practices

A TAP is a basic building block of any visibility too narrow, consider using an active TAP or SPAN
system. For complete coverage, many companies port. Another option is to upgrade the optics and
have adopted a TAP-ALL strategy as a best cabling to a standard rated for longer distances.
practice. This means that all critical links are set Longer-distance optics are more expensive, but
up with TAPs (and/or SPANs), even if the traffic tend to use higher-end lasers leading to strong
is not under continuous monitoring. By having signals. Having extra power margin on a critical link
the TAP already in place, in the event of a security removes risk and is often worth the extra expense.
breach or troubleshooting requirement, the data is
readily accessible. Most TAP failures are due to improper cabling.
When connecting TAPs, always use new cabling
The best time to deploy a TAP is when the and properly clean all connections. Never mix and
infrastructure is being built, as it is always more match cable types within a single, end-to-end link.
costly to introduce equipment after the fact. A Verify the wiring diagrams to insure the proper
TAP installation requires bringing down a network cables are plugged into each port. Match each TAP
link, so should be done during a scheduled to the cable type in use and never bend cabling
maintenance window. beyond specifications. For newer technologies,
such as Cisco BiDi deployments, only use TAPs that
TAPs are generally preferred over SPAN ports, yet are rated for the exact wavelengths in use.
both provide value. Best practices dictate deploying
physical TAPs for critical links with medium to high Not all TAPs are created equal. Check with peers
utilization. SPANs are best used in locations that are within your industry for recommendations of
not conducive to TAPs. Examples include links with quality vendors and ask about hardware warranties.
power budget limitations and remote sites with Like optical transceivers, mileage can vary from
low-utilization links. one vendor to another. If a vendor only warrants
the product for a short period of time, question the
Traditionally, if both options were available, passive quality. There is no harm in asking for Mean Time
TAPs were generally preferred over active TAPs. Between Failure (MTBF) rates either.
The primary reason for this was to minimize loss
during power outages. This trend, however, is Although a TAP can be connected directly to a
changing. Not only do active TAPs boost the signal monitoring tool, it is far better to connect directly
to provide longer distances, but many now include to the Gigamon Visibility Platform. The Visibility
battery backups to minimize power loss and Platform is a matrix of nodes deployed throughout
provide fail-safe operation. the infrastructure to act as a common platform
to move packets from any source to the proper
Fully understand the light limitations of your monitoring, analysis or security tools. This allows
environment prior to making any infrastructure for tool consolidation to optimize your monitoring
change. Power budgets dictate proper TAP solutions while extending overall visibility across
deployment. They are also used to determine the the network for pervasive security and analysis.
appropriate split ratios to deploy. Major obstacles Traffic can be replicated, aggregated or filtered as
regarding loss include distance (attenuation), required. Higher-level intelligence such as packet
connections, split ratios, splices and dirty de-duplication, SSL/TLS decryption or header
environments. It is always best to use the sensitivity stripping can also be accomplished within the
and power ratings of the specific optics in use. platform, reducing the load on each of the tools
When actual vendor-based light numbers are while accelerating mean time to resolution when
unavailable, worst case numbers may be calculated problems emerge. NetFlow generation is also
as per IEEE specifications. If the power budget is available, making more efficient use of critical
switches and routers.

WHITEPAPER | UNDERSTANDING NETWORK TAPS 14

 Summary

A TAP represents the connection point where real

traffic is copied directly from the network. As such,
it is the first step toward any visibility solution. TAPs
can be standalone devices or integrated directly
as a module inside a visibility node. In both cases,
traffic is copied for monitoring, security and
analysis as the traffic continues to pass through the
network unimpeded.

Gigamon is the first company to deliver unified

network visibility and analytics on all data-in-transit,
from raw packets to apps, across physical, virtual
and cloud infrastructure. We aggregate, transform
and analyze network traffic to solve for critical
performance and security needs, including rapid
threat detection and response, freeing your
organization to drive digital innovation. In short, we
enable you to run fast, stay secure and innovate.
Gigamon has been awarded over 75 technology
patents and enjoys industryleading customer
satisfaction with more than 3,000 organizations,
including 80 percent of the Fortune 100.
Headquartered in Silicon Valley, Gigamon operates
globally. For the full story on how Gigamon can help
you, please visit www.gigamon.com.

WHITE PAPER | UNDERSTANDING NETWORK TAPS 15

About Gigamon
Gigamon provides network visibility and analytics on all traffic across your physical, virtual and cloud networks
to solve critical security, performance and business continuity needs. The Gigamon Visibility and Analytics
Fabric delivers optimized network and security performance, simplified management and accelerated
troubleshooting while increasing your tools’ return on investment. Gigamon’s comprehensive solutions
accelerate your organizations’ ability to detect and response to security threats including those hidden in
encrypted traffic. Trusted by 83% of the Fortune 100 and 4,000 organizations worldwide, Gigamon ensures that
your business can run fast and stay secure in The New Tomorrow.

© 2019-2020 Gigamon. All rights reserved. Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found
at www.gigamon.com/legal-trademarks. All other trademarks are the trademarks of their respective owners. Gigamon reserves the right to change, modify, transfer, or otherwise
revise this publication without notice.

Worldwide Headquarters 10.20_08

3300 Olcott Street, Santa Clara, CA 95054 USA
+1 (408) 831-4000 | www.gigamon.com