How TCP Works – The Timestamp Option (by Chris Greer)
Network Security Countermeasures and Solutions -"Things You Must Do, First" (by Andrew A. Vladimirov)

When A Simple SPAN Port Is Enough (by Timothy Schmidt)

When A Simple SPAN Port Is Enough

Header image - when a simple SPAN port is enough

The two most common ways to access and replicate data within your network are TAP and SPAN technology. A Test Access Point (TAP) is a hardware device that copies all of your network data. SPAN or Switch Port Analyzer are mirroring ports within a switch that copies specific data as a best effort with no guarantees.

Network TAPs are always the industry's best practice but in a few specific and limited situations when a SPAN port suffices. When monitoring products are looking for low bandwidth application layer events like “conversation or connection analysis,” “application flows,” and applications where real time, dropped packets and knowing real delta times are not important. SPAN could also be used in a remote location that doesn’t justify a permanent deployment, offering temporary access for limited troubleshooting.

In these specific situations when a SPAN port perfectly suffices, you likely need a way to aggregate a few SPAN lines together and send that combined network traffic out to one or more sets of tools or appliances. When these situations arise, think simplicity.


Think about using one set of network tools rather than having a unique set of tools for each SPAN. Or worse, having to rotate the tools to each SPAN port.

Image 1 - when a simple SPAN port is enough

When we are working with a SPAN input, we do not need to worry about failure of the device attached to the SPAN port because SPAN is simply a copy of the network traffic. If there is a failure at the end of the SPAN line, the link is not affected. Knowing this, we can take SPAN inputs directly to our Advanced Aggregators without introducing a point of failure to the network traffic, and then filter, aggregate and load balance, prior to distributing the traffic out one or more tools.

Image 2 - when a simple span port is enoughSix SPANs connected to an Advanced Aggregator feeding two Appliances

You can aggregate all the traffic and send it out to the network tools, or you can send some of the traffic out to one monitor port and a different set of the traffic out to the other monitor port.

Image 3 - when a simple span port is enoughTwo SPANs Connected to 6 Tools or Appliances

Now we're changing the scenario to two SPANs that we want to aggregate together. That leaves enough ports available for monitoring up to six tools or appliances.

Image 4 - when span is enough

Below we see a scenario where we have 6 SPANs (or more if necessary). We are still connecting to an Advanced Aggregator, so we can distribute the traffic from the 6 SPANs to more monitoring devices. The Monitoring devices can be 1G devices and the Network ports can be 10G.

Image 5 - when a span port is enough

Connecting to an Advanced Aggregator allows more flexibility

The appliances can be set up to share the traffic load by "load balancing" and even filtering the data. This way, only the traffic of interest is sent out to the appliances and you can minimize the possibility of oversubscribing the 1G monitor ports. All the ports on the Advanced Aggregator are configurable as a Network Port or a Monitor Port, and the speed can be 1G or 10G. So, to use a cliché, the possibilities are endless!

Link to original blog post:

TJSchmidt-HeadshotLRAuthor - Timothy Schmidt is a Territory Sales Manager at Garland Technology.

Timothy leads in Garland's mission in educating all organizations and individuals on the benefits of having a strong foundation of network visibility and access.