In recent years, companies have shown the benefits of “copying” and sending traffic from network backbones to purpose-built monitoring devices…no interference with the existing, “live” traffic and the traffic can be analyzed in real-time or stored for later playback. However, the best approaches to “copying” and sending the traffic to be monitored has been a source of contention. As 40/100G becomes more prevalent, how the traffic is accessed will become increasingly important.
Initially, the Switched Port Analyzer (SPAN) ports were used to deliver copies of traffic to analyzers, but this has posed several problems at the 1G and 10G data rates, which likely will increase exponentially with 40/100G:
- SPAN ports are part of the switch/router and operate in much the same way as typical ports, so the data is not always an exact copy
- Traffic congestion both on the router and on the SPAN port itself can result in increased latency or the traffic to be dropped completely
- Relying on a device that could be creating the problem to help identify it can be a self-defeating exercise