Analysing Full-Duplex Networks

Blind spots can easily compromise network quality, so you really need 100% visibility into network traffic to ensure peak performance and security. But the larger your network grows, the harder it becomes to monitor.

There are a number ways to access full-duplex traffic on a network for analysis, but which is the best? We’re going to look at three of the most common methods, and the advantages and disadvantages of each.

1. SPAN or mirror ports

Attach a monitoring or analysis device to a switch’s analyser port (in Cisco terminology, a Switch Port Analyser, or SPAN) to monitor a full-duplex link. This setup uses standard full-duplex connectors (one channel transmits, the other receives) on both the switch and the analysis device.

Advantages

• Low cost as it’s a free feature with virtually every managed switch.
• They are remotely configurable so you can change which ports are mirrored from any system connected to the switch.

Limitations

• Drops packets when traffic levels on the network exceed the output capability of the SPAN.
• Layer 1 and 2 errors are not mirrored and therefore never reach the analyser which hampers troubleshooting.

2. Aggregation TAPs (Test Access Ports)

Attach a monitoring or analysis device to an aggregation TAP inserted into a full-duplex link. Again an aggregator TAP copies both sides of a full-duplex link to the analyser’s single receive channel, but its use of buffering makes it somewhat better able to keep up with high traffic levels than a SPAN.

Advantages

• Does not require a specialised (and potentially more expensive) dual-receive capture interface on the analysis device.
• It is independent of the network, making it invulnerable to security threats.
• Includes an internal memory buffer to mitigate the bandwidth problem associated with converging both sides of the full-duplex traffic from the network into one side of the full-duplex link to the analyser.

Limitations

• The internal memory buffer drops packets when the bursts of activity exceed buffer capacity.
• Although some aggregation TAPs pass along layer 1 and 2 errors, all aggregation TAPs can drop packets under heavy network utilization.

3. Full-duplex TAPs

Attach a dual-receive monitoring or analysis device to a full-duplex TAP inserted into a full-duplex link. Dual-receive means that the network card on the analysis device has two receive channels rather than the transmit and receive channels associated with a standard full-duplex link.

Advantages

• Guarantees that all of the network traffic, including layer 1 and 2 error information, makes it to the analysis device.
• It is independent of the network, making it invulnerable to security threats.

Limitations

• It is more complex and potentially expensive to implement.

Conclusion

Each approach has advantages and disadvantages. SPANs and aggregation TAPs allow the use of a standard (and usually less expensive) network card on the analysis device, but their limitations make them less than ideal for situations where it is necessary to guarantee the visibility of every packet on the wire.

Although full-duplex TAPs are more complex and potentially expensive to implement, if you need to guarantee capture of “everything on the wire” along with errors from all network layers, a full-duplex TAP is the only choice.