Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
5 TAP Configuration Mistakes That Can Hinder Your Network

Written by Alastair Hartrup, CEO of Network Critical

In today's increasingly complex IT landscape, reliable networking infrastructure and visibility into the entire network environment have never been more crucial. What many fail to recognize is that success or failure in maintaining proper network performance and security can often come down to test access points (TAPs), which manage the flow of traffic and ensure that key monitoring and security tools have access to the information they need. While TAP deployment can seem like a straightforward proposition, there are several common mistakes that can lead to major network issues.

The majority of enterprise networks utilize four to seven specialized tools on network links in order to achieve visibility into traffic monitoring, information security and infrastructure security. By using TAPs to connect tools to live links, network managers can safely see, analyze and protect traffic without compromising network reliability. As with most networking equipment, proper installation and configuration is critical to getting the most out of the product and network capabilities. Here are five common network TAP deployment and configuration issues every organization should be aware of and avoid:

1.      Filter Assignments - Many intelligent TAPs have traffic filtering features that allow certain traffic to be eliminated from the traffic stream assigned to a given tool. Most TAPs use hierarchical filtering which means that filter rules follow a linear descending progression.  For example, if http traffic is eliminated in rule #1, it can't later be included in rule #2 or beyond. This makes it imperative that meticulous advanced planning be done to understand which tools need which data. Then the planner must prioritize the tools in the correct order to get the right information to the right tool.

In larger networks, this can be a very complex task, sending filtered streams of information to certain upstream tools without jeopardizing the totality of traffic required by other downstream tools. If certain data is eliminated prior to arriving at the tool that's expecting it, the analysis will be flawed, which may cause alarms or worse, removal of a link from service until the filter rules are corrected.

Fortunately, there are a few TAPs that use innovative independent filter rules and do the math in the background. With independent filters, downstream tools are not dependent on upstream rules. This increases information accuracy and dramatically speeds deployment. Building flexible, independent rules and applying them independently to individual tools cuts planning time from hours to minutes, and eliminates potential service affecting configuration errors.

2.      Port Mapping Errors - Many TAPs can have 16 or more ports. So, even when network links and tools are physically plugged in to the correct ports, internal maps of incoming traffic, outgoing traffic and through traffic, must be properly configured. Many TAPs use a programming syntax called Command Line Interface (CLI) to configure the unit. Each port must be directed to act as input for network traffic or output to tools using a set of specialized commands. Errors occur when network ports are internally mapped to incorrect tools sending the wrong information and therefore providing erroneous results.

Some TAPs, however, use an advanced Graphical User Interface (GUI) making the configuration task simpler and faster. By taking the programming language out of configuration, port mapping can be as simple as dragging a cursor and clicking on the correct ports. GUI interfaces are simple to use, save time and, often, provide mis-configuration alarms when configuration rules are broken. Using a TAP with an advanced GUI can improve accuracy and eliminate configuration mapping errors.

3.      Connecting Network Links to Tool Ports - TAP ports are often designated for specific functions and designed as such. Ports that are designed to connect to network links provide fail-safe technology. If power is lost to the TAP, fail-safe will keep the live network link active and passing data. This network protection technology is designed onto network port cards, including fast relays for copper links and optical splitters for fiber links. However, ports that are designed specifically to connect tools and not interface with live links do not have fail-safe relays or splitters. If those tool ports are used as network access ports and power is lost to the unit, the network link will fail.

It is possible to avoid this mistake by looking for TAPs that provide the flexibility to use any port for either network or tool access. These TAPs include fail-safe relays on all ports, so it doesn't matter which port is used for network or tool access.  

4.      Mismatched Optical Fiber Connections - Multi-mode and single mode optical fibers are different sizes and have different transmission characteristics. In designing optical networks, it's important not to mix these two media. Single mode fiber is generally used for higher bandwidth (>10Gbps) and longer distances. Multi-mode for shorter distances and lower bandwidth (<1Gbps). Connecting multi-mode to single mode can cause CRC errors and other transmissions difficulties. In basic optical break-out TAPs, it's always wise to check your fibers and make sure that the network in and tool output are compatible.

There are Intelligent TAPs that can provide media conversion if optical link and tool interfaces are not compatible. For example, a long distance, single mode link may be connected to a TAP port and mapped to a monitoring tool that has a multi-mode interface. The media conversion will happen in the TAP as long as speeds are compatible. 

5.      Over Subscribing Ports - TAP ports are designed to pass traffic within a specific bandwidth range. There are copper and optical fiber ports designed for 1Gbps speeds and below. Other ports use Small Form-factor Plug-in (SFP) cages that allow for a variety of single mode and multi-mode fiber interfaces at higher speeds of 10Gbps and higher. Monitoring tools use similar ports to connect to links through TAPs. When connecting tools to links through TAPs it's important to understand the processing capacity of the tool and the speed of the link to be sure they're compatible. Over subscribing a TAP port or a tool port will cause inaccurate analysis results because packets will be randomly dropped to meet port limitations.

To better enable the critical network monitoring and security tools that support your business, be sure that all TAP deployments and configurations are done properly by keeping an eye out for these five possible problem areas. And to reduce the potential for network issues down the road, consider implementing intelligent TAPs that provide configuration mapping, filter alarms, media conversion and more through simple GUIs.

##

About the Author

Alastair Hartrup 

Alastair Hartrup is the CEO and founder of Network Critical, a company that provides industry-leading network TAPs and Packet Brokers, which help organizations increase visibility across dynamic and complex networks. He founded Network Critical in 1997, and today more than 5,000 companies worldwide rely on its technology to help power the network and security monitoring tools needed to control changing infrastructure.

Published Wednesday, July 17, 2019 7:38 AM by David Marshall
Get This Featured White Paper: Data Deduplication for Backup Q&A
You may also be interested in this white paper: Infographic: IGEL Preventative Security Model
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Datacenter
Global Digital
haf
DTX
DTW-NA
innovatrix
Economist Impact
GISEC
IPS MP
global-digital-cx
vExpert
Calendar
<July 2019>
SuMoTuWeThFrSa
30123456
78910111213
14151617181920
21222324252627
28293031123
45678910