SPECTRAMI - EMEA Value Added Distributor for Security, Network Visibility, Performance Monitoring, and Test Solutions


Many of our customers have questions about our products, solutions, and their technology in general. These frequently asked questions are presented here for your quick reference:

Network Packet Brokers

What is a Network Packet Broker (NPB)?

Network Packet Broker (NPB) defines a new category of compact, hardware-based, rack-mounted devices that offer a new approach for handling and manipulating network packets. NPBs optimize the access and visibility of traffic from one or many network links to monitoring, security and acceleration tools. NPB capabilities include:
  • Aggregation of monitored traffic from multiple links/segments
  • Filtering and grooming of traffic to relieve overburdened monitoring tools
  • Load-balancing traffic across a pool of tools
  • Regeneration of traffic to multiple tools
  • Available speeds from 1G to 100G
NPBs intelligently distribute traffic flowing from network devices across various port mappings - many-to-many, any-to-many, many-to-any, and any-to-any. Formerly NPBs were known as data monitoring switches, data access switches, matrix switches, or traffic aggregators. The category of NPB encompasses all of these.

Are NPBs out of band or in-line devices?

NPBs are designed for out of band and inline. It aggregates or copies network traffic to one or more ports.

What if my network or existing monitoring tools are not the same media type?

No problem. Most NPBs are available with a mix of copper and SFP ports also with all SFP based ports to allow complete flexibility for mixing media types.

Do Network Packet Brokers support Flow Coherency?

Yes, all our NPBs support Flow Coherency.
Flow coherency ensures complete two-way conversations are directed to the same monitoring tool - meaning that traffic flows are kept together on the same monitoring tool.

Network Taps

Are Network Taps passive devices?

Copper Network Taps as well as Fiber Network Taps are generally passive devices.
Passive in the way that these Taps don´t inject any additional data into the wire, and don´t need an IP and are fully transparent within the network.
Fiber Taps are even more passive than copper taps since they do not even need any power supply. So in the event of power loss, network traffic will flow uninterrupted as long as the network itself has power.
For copper taps Ixia invented the so called Zero Delay™ functionality which offers true zero-delay operations to prevent network disruptions for maximum network reliability. During a power outage, unique circuitry preserves the state of each network port ensuring the network link remains fully functional with zero packet loss; only monitor traffic becomes unavailable.

I am monitoring my network segment via a Span (mirror) port on my switch. How will I benefit by using a Tap?

Network Taps create permanent access ports for passive monitoring by splitting or regenerating the full-duplex network signal. The monitoring device connected to the Tap receives traffic as if it were in-line, including all errors. In contrast, a monitoring device connected to a switch Span port does not see all traffic. Corrupt network packets, or packets below minimum size, are usually dropped. Switches also eliminate Layer 1 and select Layer 2 errors, and are constrained by the bandwidth capacity of the Span port. In addition, by using a Tap you put less load on your switch buffer and can eliminate "resets" by the switch. For more information, please download the following white paper: Taps vs. SPAN - Full Visibility into Today's Networks

What is a “Potential Point of Failure” and why should it be considered as part of any network access design that includes taps?

All network hardware, no matter how reliable, must be considered as a device that could malfunction. Network architects will assess the mission critical nature of any given link, what redundant or alternate data paths exist, and how service might be impacted if a service window were required to replace a device in that link.
In some cases an in-line device that has multiple links passing through it and may be an appropriate choice. But a more conservative design might dictate that no in-line device should ever tap more than one link – thereby eliminating the possibility that two links might ever be impacted if such a device had to be replaced. The most conservative or lowest risk designs may even require that the tapping be done by a non-powered Physical Layer device such as a simple fiber tap and the task of aggregating the duplex data streams and making multiple copies for the tools be handled by a separate device.
There is no right or wrong answer for such question – it will be determined by the individual circumstances and priorities of the organization – but such issues should be considered.

What is the “TCP Reset” or Traffic Injection feature in a tap and how is it used?

Intrusion Detection Systems (IDS) may have an option to use a feature known as “Active Response” when malicious traffic is detected. If an attacker uses TCP sessions, they can be reset by RST (Reset) packets that are sent to reset one or both hosts in a session from the IDS. In the case of UDP, a session can be broken by sending various ICMP packets to the host from the IDS box.
In some cases the IDS may need to use the monitoring NIC for this purpose. Enabling a Bi-directional traffic path in the tap allows the RST packets to renter the network through a tapped copper link. In the case of a tapped fiber link the directional characteristics of fiber taps will not allow this. The “any-to-any” feature of Datacom Systems configurable taps allows the RST packets to be sent out any available extra Monitor port of the tap and enter the network via a local network switch.
Traffic injection is only done on copper based inline taps or bypass switches. Fiber taps do not allow traffic injection, based on their directional nature, they simply make a one way copy of traffic used for analysis.

I have had a Fiber Tap for a couple of years and noticed that the light loss budget seems higher. Do the Fiber Taps go bad?

Fiber components of Fiber Taps are usually designed to last for the life of your installation. Dirty or loose connectors will cause a loss of optical power. Cleaning the connectors will restore light levels in most cases.

I noticed Fiber Optic Taps are offered in multiple split ratios. Why would I need the different split ratios?

A split ratio is the amount of light that is re-directed from the network to the monitor ports. With higher split ratios, less light is re-directed from the network link to the monitoring link, ensuring adequate light power for the network link. Click on the following link to download our Split Ratio Reference Chart. Fiber Split Ratio Reference Chart

I have installed a Fiber Tap and verified that network traffic is passing through the Tap but I do not see traffic coming out of the Tap Monitor Ports. What should I check?

If the Transmit and Receive portions of your fiber optic cable are crossed on the Network Ports of the Tap, you will see traffic pass through the Tap but nothing coming from the Monitor Ports. Check to see that the cables going into the Network A and B ports on the Tap are as follows: TX = In, RX = Out.

Do Taps participate in link negotiation?

All Fiber, WAN, and 10/100-based Taps are pass-through devices that do not participate in link negotiation. Ixia/Net Optics Copper Taps negotiate a separate link with each network device.

Aggregation Taps

Where would I use an aggregation tap in my network?

Aggregator Taps offer total access to full-duplex links with only one NIC or network port and are ideal for Ethernet links where the total utilization is under 50%. The most likely locations on the network to deploy a link aggregation tap will be those in which IDS devices or probes need 24x7 visibility. These include the links between switches and critical servers, full duplex connections between firewalls and routers, as well as links between firewalls and a demilitarized zone (DMZ).

What´s the difference between Port Aggregators and Link Aggregators?

Port Aggregation Taps are aggregating the RX- and TX traffic of one network link to one monitoring port. Therefore it is possible to analyze the Full Duplex network traffic on one single interface. After aggregating the TX - and RX traffic to one single port, the aggregated traffic is regenerated to a second monitoring port, providing the possibility to have a second monitoring tool to analyze the Full Duplex traffic with also just one NIC.
Link Aggregators allow the monitoring of multiple network segments with one or several monitoring appliances. These Taps are aggregating the traffic of up to 12 Full Duplex connections into one single interface After aggregation, the traffic is regenerated to up to 24 monitoring Ports . One big advantage of this solution is that the connected monitoring system only needs one NIC to monitor all 12 connections at the same time. Link Aggregation Taps are perfectly designed for the analysis of asymmetric network traffic and redundant routes with dynamic network protocols.

Do you send all traffic to the Link Aggregator monitor ports?

Yes, all traffic is sent to the Monitor Ports until the sum of traffic reaches the capacity of the Monitor Port. Any traffic above this threshold is dropped.

Do you receive the full line rate data stream with Port Aggregators?

Port Aggregator Taps combine traffic from both sides of a full-duplex link and send all traffic, up to the capacity of the Monitor Port, to the attached monitoring device. When utilization levels exceed the capacity of the Monitor Port, the Port Aggregator Taps buffer overflow data and send this data as soon as utilization drops below the capacity of the Monitor Ports.

What if my network links and my monitoring tools are not the same media type?

No problem. Aggregation Taps come in a variety of media combinations that allow monitoring of fiber links with copper tools, copper links with fiber tools and are also available in several models with SFP based monitor ports that allow media type to be changed.

Why do some link aggregation capable taps have more than one output (monitor port)?

In many network environments it is desirable and often necessary to have an IDSdevice monitoring a on a 24x7 basis. Additional monitor ports allow a protocol analyzeror other network management tools to access the same link on a permanent or as needed basis. This eliminates contention for access to the data. The extra monitor ports also allow redundant devices to be connected to the same link as a failsafe measure to prevent the loss of data in case one of the connected devices has problems or needs to be updated.

Is there a tap that can provide both aggregated and non-aggregated output?

Yes. Datacom Systems SS-1200, SS-2200 and SS-4200 series taps can be configured by the user to provide either type of output or on the higher port density models can even provide both simultaneously.
An additional benefit of this design is the capability for the tap to be reconfigured to accommodate growth in utilization. These taps can initially be deployed as aggregation taps but when utilization spikes begin to dictate the addition of a monitor card to the tool and a need for non-aggregated output - they can be reconfigured by the user to provide non-aggregated output.

Regeneration Taps

What is a Regeneration Tap?

Regeneration Taps provide passive monitoring access for multiple devices. Passive Regeneration Taps enable real-time, simultaneous monitoring of a network link or Span port by up to eight protocol analyzers, intrusion detection systems, and other devices for network monitoring and troubleshooting.

How is a Regeneration Tap different from a Matrix Switch?

Regeneration Taps provide passive monitoring access for multiple devices. Ixia/Net Optics Matrix Switches provide passive monitoring access across multiple networks for analyzers to perform real-time monitoring and analysis. Matrix switches greatly increase monitoring efficiency and leverage analyzer investments.

What are the different options available with Regeneration Taps?

The Regeneration Taps come different amounts of ports. They also support all major network interfaces such as 10/100/1000, Gigabit, and WAN (OC3 and OC12). Regeneration Taps also come in Span and in-line versions. Span Regeneration Taps give users the ability to monitor up to two Span ports independently with multiple resources, reducing the burden on your switch. The in-line models tap one critical full-duplex link and make up to ten copies of that link.

Are Regeneration Taps passive devices?

Yes, Regeneration Taps are completely passive devices.

Bypass Switches

What is a Bypass Switch?

Bypass Switches protect the link against power loss from the in-line IPS or security appliance. When the Bypass Switch is receiving power, traffic is routed to the in-line appliance. If power is lost or the appliance needs to be removed for maintenance, the Bypass Switch routes traffic past the in-line device using Fast Path technology preventing link downtime. See diagram below:

  • Bypass Switch in Enabled Mode
  • Bypass Switch in Disabled Mode

What is the heartbeat packet?

Heartbeat packets are a method of by which the load balancer becomes aware that an attached Intrusion Prevention System (IPS) lost power or had any other type of failure. The load balancer sends heartbeat packets through attached IPSs to continuously validate that the IPSs are passing traffic - the same technique used by Bypass Switches. If an IPS fails, the load balancer automatically takes the traffic that was bound to that IPS and redistributes it to the remaining active IPSs. When the failed IPS comes back online, the load balancer returns the traffic to it.
Another possible mode of dealing with IPS failures that may be offered by some monitoring load balancers is a port loopback mode. In this situation, traffic simply bypasses a failed IPS as if that IPS were connected through a bypass switch. Yet another mod is N+M tool redundancy where one or more warm-standby IPSs are designated.

How does a Bypass Switch with Heartbeat work?

The Optical Bypass Switch with Heartbeat protects against power failure, physical link failure, and application failure on the in-line appliance. The switch checks the path through the in-line appliance by sending a packet every second from Monitor Port C. The switch validates the path when it receives the packet on the Monitor Port D. If the switch does not receive the packet as expected three times in a row, the switch automatically enters Bypass ON mode.

Can you re-configure the Heartbeat interval?

(Ixia) Yes, you can configure the Heartbeat interval and also the numbers packets missed before the Bypass Switch enters Bypass Enabled Mode. The Bypass Switch has an RS232 port and a command line interface for programming Bypass Switch options. See the Installation Guide for complete information.


What is Twinax cabling?

Twinaxial cabling, or "Twinax", is a type of cable similar to coax, but with two inner conductors instead of one. Due to cost efficiency it is becoming common in modern very short range high speed differential signaling applications.
One of major applications includes Cisco Systems implementation coupled with SFP+ modules. This type of connection is able to transmit at 10 Gigabit full duplex speed over 10 meter distances. Moreover this setup offers 15 to 25 times lower transceiver latency than current 10GBASE-T CAT6/CAT6a/CAT7 cabling systems: 0.1 µs for Twinax with SFP+ versus 1.5 to 2.5 µs for current 10GBASE-T specification. The power draw of Twinax with SFP+ is around 0.1 watts, which is also much better than 4-8 watts for 10GBASE-T.
As always with cabling one of the consideration points is Bit error ratio or BER for short. Twinax copper cabling has BER better than 10-18 according to Cisco, and therefore is acceptable for applications in critical environments.

Technology Terms

Deep Packet Inspection (DPI)

Deep Packet Inspection is the ability to apply filters to a packet or multiple packets at any location, regardless of packet length or the location of the data to be matched within this packet. By applying filters based on DPI to traffic sent to a monitoring tool you are able to capture just the traffic of interest.

Fast Path™

Fast Path™ is a technology found in the Ixia/Net Optics Bypass Switches that supports fail-open monitoring with any Gigabit in-line device when it shares the same power source as the in-line appliance. As long as the Bypass Switch is receiving power, it diverts network traffic to attached in-line devices. When power is lost, Fast Path™ maintains network link integrity with high-speed switching so the network link is maintained but is no longer routed to the in-line device.

Link Fault Detect™

Link Fault Detect™ is a Ixia/Net Optics feature that gives devices connected to the Tap critical information about link status. If either side of the bi-directional link fails, the Tap immediately communicates the fault to the other device, reducing the time required to activate a redundant path.

Virtual Zero Delay (VZD)

VZD is a patent-pending technology from Ixia/Net Optics designed to improve network reliability when using copper taps. Ixia/Net Optics' innovative Virtual Zero Delay circuitry guarantees that iLink Agg in-line copper connections will never lose their links when power goes off for whatever reason - such as power failures or during planned power up and power down events.
In the past, link renegotiation has been a major challenge for copper taps, costing precious seconds or minutes of link downtime when Tap power transitions. The VZD eliminates those lengthy renegotiation cycles by preserving the link state through power transitions, as if no break existed.

Zero Delay™

Zero Delay™ is a unique tap technology offered only by Ixia/Net Optics that prevents packet loss or delay should the Tap lose power. Zero Delay technology prevents link downtime by eliminating the typical 10ms delay caused when other Taps lose power. That small delay can cascade into much longer delays as devices on the link detect a failure and attempt to re-establish communication.

Talk to us

+49 6102 748-0