Monitoring, analysis and out-of-band security tools all have one thing in common: they need a reliable data source from which to obtain network data, and they depend on this source to function. But what is the best way to feed network data to these tools?
Many believe that they can simply configure a SPAN port, also called a mirror port, on existing switches to route out the network data. This port will then output a copy of the network data passing through the switch, depending on the configuration.
Others prefer to use Network TAPs (TAP stands for Test Access Point or Test Access Port), i.e. special devices that are looped into a network line and output a copy of the network data sent over this line from the productive network.
We will take a closer look at which of these two options should be chosen and the reasons for this on the following pages.
2. How a SPAN/Mirror port works
To know the advantages and disadvantages of a SPAN port, one must first understand how it works.
The concept itself is very simple. After the user has defined a free port on a switch as a SPAN port, incoming data packets are duplicated accordingly by the switch‘s operating system and output as a duplicate on that SPAN port.
At the same time, the SPAN port loses its function as a switch port, as all incoming packets are discarded by the switch.