Blogheader image.png

TAP Into Technology

Leading the Way in Network Technology

The 101 Series: Quick Connect Tips for Out-of-Band Monitoring Appliances

Posted by George Bouchard | 11/15/16 10:25 AM

Active in-line appliances are on the front-lines of your network, but out-of-band monitoring devices are just as important to your overall network visibility and security. Your out-of-band monitoring devices might include application performance monitoring, Wireshark, network analyzers, lawful intercept and deep packet inspection.

In this post, we’ll discuss the keys to ensuring 100% network access for your out-of-band monitoring appliances that analyze your network traffic.


The Keys to Tapping Out-of-Band Monitoring Appliances

Your out-of-band monitoring devices aren’t effective if they can’t see 100% of network traffic and compare it to your normal baseline. Placing analyzers and network TAPs in different locations throughout the network will allow you to compare traffic to help spot suspicious activity and ensure the devices are deployed effectively.

Follow these tips for proper deployment:

Use Passive Network TAPs for Out-of-Band Monitoring Devices

Unlike active network TAPs that pass traffic through an active in-line device, passive network TAPs simply copy traffic from the network and pass it to the monitoring appliances. Whether you have a fiber optic network or a 10/100M network, passive network TAPs ensure total network uptime even in the case of power failure.

Not all passive network TAPs are created equal, though. Determining which mode you need is essential to ensuring visibility.

Breakout vs. Aggregating Modes

The type of passive network TAP you choose is based on the type of device you’re tapping and its environment. A breakout TAP can be used for high utilization situations. The following figure depicts how breakout mode works:

Out-of-Band Monitoring Appliances Figure 1: Copper TAP

 

Out-of-Band Monitoring Appliances

Figure 2: Fiber TAP

Network elements (a router and a switch) are connected to Network Ports A and B. The router on Port A sends traffic to Port B and Monitor Port C while the switch on Port B sends traffic to Port A and Monitor Port D. A network monitoring device is linked to Ports C and D, analyzing 100% of the traffic from the router and switch. Because the traffic is separated into two different ports, breakout mode can handle your heaviest traffic situations.

For example:

TAP 1G full duplex for 2G traffic

TAP 10G full duplex for 20G traffic

TAP 40G full duplex for 80G traffic

TAP 100G full duplex for 200G traffic

Aggregating mode, on the other hand, combines the traffic from Port A and Port B, delivering two separate copies to Port C and Port D. This gives you the ability to connect two different monitoring devices (Wireshark and deep packet inspection, for example), but limits you to low utilization scenarios because of potential over-subscription.

 

garlandpicture234
Figure 3: Aggregating TAP

 

Aggregating TAPs can support devices with just one NIC card and combine monitoring traffic into a single monitoring port. For example, if Wireshark is on your laptop that only has one NIC you can now see both sides of the traffic. When you understand the technical requirements of your appliance and network, you can choose the right TAP for the job.

Download Maximizing Visibility!


Packet Brokers with Load Balancing Are Very Useful for Out-of-Band Monitoring Appliances

Packet brokers can be placed between your network TAP and network monitoring devices to allow you to manipulate your traffic in many ways so your monitoring appliances receive just the traffic they are interested in to perform the proper analysis that you require. Packet brokers are also useful when you have many network links and fewer appliances or a new high speed link going to existing low speed appliances.

The packet broker can filter, aggregate and load balance the traffic presented to it and send the traffic off to out-of-band appliances. They can also change the media from fiber to copper, single-mode fiber to multi-mode. A packet broker with hybrid bypass TAPs can also send information to your security tools, while providing  fail-safe security for your active, in-line applainces.

Load balancing with packet brokers allows your network tools to see every bit, byte and packet® necessary to analyze the health of your network. Packet brokers also support “any to any” configuration (1G to 10G, 10G to 1G, to 40G, 1G to 40G, 40G to 10G and 1G) so you can grow your network and ensure 100% visibility without purchasing new appliances with every upgrade.

100% Traffic Analysis All of the Time

Implementing passive network TAPs is guaranteed to ensure 100% visibility for your monitoring devices.Combined with the packet broker you add a great deal of flexibility to view what is going on in your network to keep it properly maintained. Remember, you can’t fix what you can’t see.

 

Have questions about designing your network for complete visibility? Contact the experts at Garland Technology for a free Design-It consultation. 

Topics: Network TAPs, Network Visibility/Monitoring, The 101 Series

Written by George Bouchard

George has many years of experience working with both hardware and software in the OEM and Commercial marketplace. George’s expertise is in the engineering of Network TAPs.