Types of TAPs - application possibilities in network monitoring

Breakout 'Normal' TAP:

A typical TAP has 4 ports: 2 network ports and 2 ports for connecting monitoring devices.

Diagram 1: Traffic flow in the TAP network

Breakout TAP's application

1. Network ports receive traffic from the network. Network port A receives eastern traffic and port B receives western traffic.
2. The monitoring ports provide a copy of this traffic to the connected monitoring device.
3. Monitoring port A will copy Eastbound traffic, and monitoring port B will copy Westbound traffic.

This type of TAP is most often used when the network traffic on the link under investigation is so large that the summation of Tx and Rx traffic on a single monitoring port can cause an undesirable "over-subscription" effect and packet loss. It should be noted that this type of TAP requires two input ports (two network cards) on the monitoring device to seamlessly capture Tx and Rx signals.

Aggregation TAPs:

Aggregating TAPs allows you to take network traffic from the east and west directions and aggregate it to a single monitoring port. To a single monitoring port.

This allows you to use just one monitoring port to see east and west traffic aggregated together on one monitoring port.

Diagram 2: Aggregation tap copies data in both directions to monitoring ports 

TAP Replicating/SPAN Replicating/SPAN TAP:  

SPAN/Regeneration TAPs allow you to take one-way traffic from a single network segment and send it to multiple monitoring tools. This allows a single traffic stream to be sent to many different monitoring tools, each serving a different purpose.

Diagram 3: The replicating TAP takes the SPAN signal from one port and sends copies of it to the rest of the ports.

Bypass TAP:

It is a very important tool to enable an active IT security device in-line in a critical link without introducing an additional point of failure.

Next-gen firewall (NGFW) or IPS devices require an active "in-line" connection to perform their function. Bypass TAP enables such a connection, while protecting against network failure due to damage to one of the aforementioned devices or the need to service, up-date or repair them.

A bypass TAP equipped with a failsafe function protects the network from the effects of an "in-line" device failure. The mechanism of operation is as follows. The TAP generates a test packet, which is sent to the "in-line" device. As long as this device is working properly, the test packet is sent back to the TAP. The TAP deletes the test packet before further routing of network traffic. If the TAP or the "in-line" device fails, the failsafe function "cuts off" the "in-line" device and the network traffic goes directly through the TAP.

Diagram 5: Bypass mode

Media Changing TAP converting media: 

TAPs of this type allow the connection of monitoring devices using other media than the monitored network. Various combinations are available, and the following figures show some of them.

Single-mode to SFP conversion: allows you to convert a single-mode fiber link to multi-mode by connecting single-mode network ports and monitoring SFP ports to the TAP, as shown in the image below.

Conversion: Copper to SFP: Converts a copper link into a single-mode, or multi-mode fiber, as shown in the image below.

Despite the different types of these devices, all TAPs must be characterized by the following feature:

- They cannot add another point of failure. In the event of a problem, network traffic through the TAP must run smoothly. In the case of Bypass TAP, the network link must work in an "in-line" device failure situation.

If you would like to learn more about TAPs, feel free to read the resources below or contact us via the form on the side of the page!