Tap and SPAN. It's the same thing, right? That answer would be wrong. Some network engineers may not know the difference, but there are definitely clear and distinct differences between these two types of devices. Understanding these differences will help you elevate your game when it comes to network performance monitoring (NPM) and application performance monitoring (APM).
Here are four main factors that matter when it comes to a Tap or SPAN choice:
■ There is a difference in data type and quality from each device
■ The location of monitoring data capture matters
■ Time to resolution for troubleshooting activities is a factor
■ There are hidden administration costs for SPAN ports
1. The Difference Between TAP and SPAN
First, what is the difference between a test access port (Tap) and a switched port analyzer (SPAN) port?
A Tap is a purpose-built device that passively makes a copy of network data but does not alter the data. Once you install it, you are done. No programming is required. SPAN ports, also called mirror ports, are part of Layer 2 and Layer 3 network switches. They are active devices and will require you to program them to copy the data desired.
A key difference is that network switches (and their SPAN ports) introduce mechanisms on ingress ports to eliminate corrupt packets and to also eliminate packets that are below a minimum size. While this may sound beneficial, the problem with this approach is that monitoring devices for troubleshooting normally require the capture of all data within the egress segment. Key clues can be contained in this data, like are there malformed packets and when did the data start to get corrupted. No monitoring data means longer problem resolution times.
In addition, switches and SPAN ports can drop Layer 1 and select Layer 2 data as well, depending on traffic priority level. The SPAN port is not the primary function of a routing switch. So, if CPU and memory is needed for other tasks, then you may lose your monitoring data altogether for certain periods of time. This leaves you with no data to analyze for troubleshooting purposes.
By contrast, a Tap passes on ALL of the data on a link. This includes capturing everything needed to properly troubleshoot common physical layer problems, including bad frames that can be caused by a faulty NIC.
Second, where you access monitoring data matters. It's like real estate, one of the most important factors is location, location, location. One of the great things about a Tap is that it is versatile. You can deploy them anywhere across your network. This gives you the ability to Tap ingress, egress, remote links, problem links, etc. with almost no restrictions.
By contrast, a SPAN port is tied specifically to a network switch and that switch's physical location. Since most switches are located in the network core, you typically have issues getting the right monitoring data from the edge of the network or from geographically distributed offices (unless each office is large enough to have a switch).
3. Time to Resolution
The third area of concern is time to resolution. Once installed, Taps and a network packet eliminate the need for many Change Board Review processes because you do not need to touch the live network. You just filter and analyze the readily available monitoring data to get the troubleshooting, performance, security-related, and compliance data you need. This can result in an up to 80% reduction in mean time to repair (MTTR).
On the other hand, SPAN ports require you to configure the switch (or switches) each and every time you want to change the switch data that needs to be copied. Since the SPAN port is part of the switch, which is an active part of the network, most SPAN port programming changes will require approvals. There will typically be subsequent delays in getting that approval to touch the network for most enterprises. In addition, there are usually further time delays because the implementation of any programming changes will have to wait until the next available maintenance window. This can add days or weeks to your troubleshooting process.
4. Administration Costs
Administration costs are the fourth concern. Since most Cisco switches have two (or more) SPAN ports per device, it is often assumed that the cost of these ports is free. However, this does not consider the programming and maintenance costs of those ports. Every programming change can take an hour, or more, of time. This length of time depends upon many factors: the size of the programming change you want to make, whether you have notes about what the current filter code means (i.e. if a filter was written a couple years ago and the author has left the company, it may time some time to figure out what the existing programming code actually does (as it might have even been written incorrectly), and then finally the time required to validate that the new SPAN port programming is working correctly. This programming and validation time is a hidden cost that can grow to be several hundred or even thousands of dollars per year.
In contrast, Taps are "set and forget," as mentioned earlier. You spend a couple hundred dollars up front to buy a Tap and then you are done as they are a one-time intrusion to the network. Once installed, the Tap will start to copy all of the data and forward that data to whatever tool (DLP, IDS, protocol analyzer, etc.) or network packet broker that you want.
Based upon the factors, many network engineers find that Taps are the best choice when it comes to ease of data capture, versatility of location for data capture, and programming costs.