Even if you’ve already realized the inferiority of SPAN ports and started moving to network TAPs, you still have to make sure your network design is set up for visibility into every bit, byte and packet® of traffic.
However, the increasing complexity of the security stack and necessary network monitoring solutions are making it harder than ever to maintain an efficient network design.
As more in-line appliances and out-of-band monitoring tools are added to the network, architects must pay close attention to the amount of traffic they’re sending to each port.
Standard breakout mode may have worked in all use cases in the past, but copying 100% of traffic to all ports is no longer an option in many cases. Let’s dive into a practical example of tapping 1G in-line and out-of-band solutions without oversubscribing your ports.
Tapping In-Line and Out-of-Band Solutions with a 2U Chassis
The new 1G Modular Packet Broker System from Garland Technology is designed to support breakout, aggregation, filtering, regeneration/SPAN and bypass modes for total flexibility and scalability. The 2U chassis option can help you manage your in-line and out-of-band solutions without oversubscribing 1G ports.
In this scenario, the eastbound and westbound traffic passes through the modular TAP in breakout mode. A complete copy of the traffic is aggregated and sent to corresponding appliances (in this case, the web application firewall.
However, because the monitoring ports can only support 1G, the TAPs must also filter out packets that aren’t necessary for the web application firewall to scrub. Using the remote management interface of the 1G Modular Packet Broker System, you can easily set the parameters for filtering and ensure in-line and out-of-band solutions see every bit, byte and packet® necessary.
Port Mapping Explained
Aside from the fact that they can’t ensure 100% packet visibility, one reason SPAN ports are inferior to network TAPs is that the number of ports is limited compared to the number of in-line and out-of-band solutions you have to connect. As you add more appliances to your network, you need a design that minimizes the number of ports you use.
Port Mapping (or backplane filtering) on the new 1G Modular Packet Broker System means you can aggregate low traffic links and send them to a single in-line or out-of-band solution without oversubscribing ports.
Think of this in terms of your own network where you might have a Palo Alto Next-Generation Firewall and the NextComputing Packet Continuum to send traffic to. With the 1G Modular Packet Broker System and port mapping, you can take multiple 1G links and filter out any unnecessary data before sending copies to both the monitoring device and in-line security appliance.
This is just one use case for the new 1G Modular Packet Broker System. With space for up to 12 TAP modules - there are so many ways you can configure the chassis for your specific needs. All modules are hot swappable for onsite changes coupled with remote management to easily click a mouse to switch from bypass to aggregation or breakout modes.
One of the greatest benefits of the new 1G Modular Packet Broker System is the flexibility it gives you to scale your network alongside growing security and monitoring stacks. But this also means you need a strong network design to ensure appliances are seeing every bit, byte and packet® without oversubscription.
If you want to learn more about the ins and outs of network connectivity, download our latest white paper, Network Connectivity: A Go-To Guide.