SPECTRAMI - EMEA Value Added Distributor for Security, Network Visibility, and Performance Monitoring Solutions


Many of our customers have questions about our products, solutions, and their technology in general. These frequently asked questions are presented here for your quick reference:

Network Packet Brokers

What is a Network Packet Broker (NPB)?

Network Packet Broker (NPB) defines a new category of compact, hardware-based, rack-mounted devices that offer a new approach for handling and manipulating network packets. NPBs optimize the access and visibility of traffic from one or many network links to monitoring, security and acceleration tools. NPB capabilities include:
  • Aggregation of monitored traffic from multiple links/segments
  • Filtering and grooming of traffic to relieve overburdened monitoring tools
  • Load-balancing traffic across a pool of tools
  • Regeneration of traffic to multiple tools
  • Available speeds from 1G to 100G
NPBs intelligently distribute traffic flowing from network devices across various port mappings - many-to-many, any-to-many, many-to-any, and any-to-any. Formerly NPBs were known as data monitoring switches, data access switches, matrix switches, or traffic aggregators. The category of NPB encompasses all of these.

Are NPBs out of band or in-line devices?

NPBs are designed for out of band and inline. It aggregates or copies network traffic to one or more ports.

What if my network or existing monitoring tools are not the same media type?

No problem. Most NPBs are available with a mix of copper and SFP ports also with all SFP based ports to allow complete flexibility for mixing media types.

Do Network Packet Brokers support Flow Coherency?

Yes, all our NPBs support Flow Coherency.
Flow coherency ensures complete two-way conversations are directed to the same monitoring tool - meaning that traffic flows are kept together on the same monitoring tool.

Network Taps

Are Network Taps passive devices?

Copper Network Taps as well as Fiber Network Taps are generally passive devices.
Passive in the way that these Taps don´t inject any additional data into the wire, and don´t need an IP and are fully transparent within the network.
Fiber Taps are even more passive than copper taps since they do not even need any power supply. So in the event of power loss, network traffic will flow uninterrupted as long as the network itself has power.
For copper taps Ixia invented the so called Zero Delay™ functionality which offers true zero-delay operations to prevent network disruptions for maximum network reliability. During a power outage, unique circuitry preserves the state of each network port ensuring the network link remains fully functional with zero packet loss; only monitor traffic becomes unavailable.

I am monitoring my network segment via a Span (mirror) port on my switch. How will I benefit by using a Tap?

Network Taps create permanent access ports for passive monitoring by splitting or regenerating the full-duplex network signal. The monitoring device connected to the Tap receives traffic as if it were in-line, including all errors. In contrast, a monitoring device connected to a switch Span port does not see all traffic. Corrupt network packets, or packets below minimum size, are usually dropped. Switches also eliminate Layer 1 and select Layer 2 errors, and are constrained by the bandwidth capacity of the Span port. In addition, by using a Tap you put less load on your switch buffer and can eliminate "resets" by the switch.

What is a “Potential Point of Failure” and why should it be considered as part of any network access design that includes taps?

All network hardware, no matter how reliable, must be considered as a device that could malfunction. Network architects will assess the mission critical nature of any given link, what redundant or alternate data paths exist, and how service might be impacted if a service window were required to replace a device in that link.
In some cases an in-line device that has multiple links passing through it and may be an appropriate choice. But a more conservative design might dictate that no in-line device should ever tap more than one link – thereby eliminating the possibility that two links might ever be impacted if such a device had to be replaced. The most conservative or lowest risk designs may even require that the tapping be done by a non-powered Physical Layer device such as a simple fiber tap and the task of aggregating the duplex data streams and making multiple copies for the tools be handled by a separate device.
There is no right or wrong answer for such question – it will be determined by the individual circumstances and priorities of the organization – but such issues should be considered.

What is the “TCP Reset” or Traffic Injection feature in a tap and how is it used?

Intrusion Detection Systems (IDS) may have an option to use a feature known as “Active Response” when malicious traffic is detected. If an attacker uses TCP sessions, they can be reset by RST (Reset) packets that are sent to reset one or both hosts in a session from the IDS. In the case of UDP, a session can be broken by sending various ICMP packets to the host from the IDS box.
In some cases the IDS may need to use the monitoring NIC for this purpose. Enabling a Bi-directional traffic path in the tap allows the RST packets to renter the network through a tapped copper link. In the case of a tapped fiber link the directional characteristics of fiber taps will not allow this. The “any-to-any” feature of Datacom Systems configurable taps allows the RST packets to be sent out any available extra Monitor port of the tap and enter the network via a local network switch.
Traffic injection is only done on copper based inline taps or bypass switches. Fiber taps do not allow traffic injection, based on their directional nature, they simply make a one way copy of traffic used for analysis.

I have had a Fiber Tap for a couple of years and noticed that the light loss budget seems higher. Do the Fiber Taps go bad?

Fiber components of Fiber Taps are usually designed to last for the life of your installation. Dirty or loose connectors will cause a loss of optical power. Cleaning the connectors will restore light levels in most cases.

I noticed Fiber Optic Taps are offered in multiple split ratios. Why would I need the different split ratios?

A split ratio is the amount of light that is re-directed from the network to the monitor ports. With higher split ratios, less light is re-directed from the network link to the monitoring link, ensuring adequate light power for the network link.

I have installed a Fiber Tap and verified that network traffic is passing through the Tap but I do not see traffic coming out of the Tap Monitor Ports. What should I check?

If the Transmit and Receive portions of your fiber optic cable are crossed on the Network Ports of the Tap, you will see traffic pass through the Tap but nothing coming from the Monitor Ports. Check to see that the cables going into the Network A and B ports on the Tap are as follows: TX = In, RX = Out.

Aggregation Taps

Where would I use an aggregation tap in my network?

Aggregator Taps offer total access to full-duplex links with only one NIC or network port and are ideal for Ethernet links where the total utilization is under 50%. The most likely locations on the network to deploy a link aggregation tap will be those in which IDS devices or probes need 24x7 visibility. These include the links between switches and critical servers, full duplex connections between firewalls and routers, as well as links between firewalls and a demilitarized zone (DMZ).

What´s the difference between Port Aggregators and Link Aggregators?

Port Aggregation Taps are aggregating the RX- and TX traffic of one network link to one monitoring port. Therefore it is possible to analyze the Full Duplex network traffic on one single interface. After aggregating the TX - and RX traffic to one single port, the aggregated traffic is regenerated to a second monitoring port, providing the possibility to have a second monitoring tool to analyze the Full Duplex traffic with also just one NIC.
Link Aggregators allow the monitoring of multiple network segments with one or several monitoring appliances. These Taps are aggregating the traffic of up to 12 Full Duplex connections into one single interface After aggregation, the traffic is regenerated to up to 24 monitoring Ports . One big advantage of this solution is that the connected monitoring system only needs one NIC to monitor all 12 connections at the same time. Link Aggregation Taps are perfectly designed for the analysis of asymmetric network traffic and redundant routes with dynamic network protocols.

Do you send all traffic to the Link Aggregator monitor ports?

Yes, all traffic is sent to the Monitor Ports until the sum of traffic reaches the capacity of the Monitor Port. Any traffic above this threshold is dropped.

Do you receive the full line rate data stream with Port Aggregators?

Port Aggregator Taps combine traffic from both sides of a full-duplex link and send all traffic, up to the capacity of the Monitor Port, to the attached monitoring device. When utilization levels exceed the capacity of the Monitor Port, the Port Aggregator Taps buffer overflow data and send this data as soon as utilization drops below the capacity of the Monitor Ports.

What if my network links and my monitoring tools are not the same media type?

No problem. Aggregation Taps come in a variety of media combinations that allow monitoring of fiber links with copper tools, copper links with fiber tools and are also available in several models with SFP based monitor ports that allow media type to be changed.

Why do some link aggregation capable taps have more than one output (monitor port)?

In many network environments it is desirable and often necessary to have an IDSdevice monitoring a on a 24x7 basis. Additional monitor ports allow a protocol analyzeror other network management tools to access the same link on a permanent or as needed basis. This eliminates contention for access to the data. The extra monitor ports also allow redundant devices to be connected to the same link as a failsafe measure to prevent the loss of data in case one of the connected devices has problems or needs to be updated.

Is there a tap that can provide both aggregated and non-aggregated output?

Yes. Datacom Systems SS-1200, SS-2200 and SS-4200 series taps can be configured by the user to provide either type of output or on the higher port density models can even provide both simultaneously.
An additional benefit of this design is the capability for the tap to be reconfigured to accommodate growth in utilization. These taps can initially be deployed as aggregation taps but when utilization spikes begin to dictate the addition of a monitor card to the tool and a need for non-aggregated output - they can be reconfigured by the user to provide non-aggregated output.

Bypass Switches

What is a Bypass Switch?

Bypass Switches protect the link against power loss from the in-line IPS or security appliance. When the Bypass Switch is receiving power, traffic is routed to the in-line appliance. If power is lost or the appliance needs to be removed for maintenance, the Bypass Switch routes traffic past the in-line device using Fast Path technology preventing link downtime. See diagram below:

  • Bypass Switch in Enabled Mode
  • Bypass Switch in Disabled Mode

What is the heartbeat packet?

Heartbeat packets are a method of by which the load balancer becomes aware that an attached Intrusion Prevention System (IPS) lost power or had any other type of failure. The load balancer sends heartbeat packets through attached IPSs to continuously validate that the IPSs are passing traffic - the same technique used by Bypass Switches. If an IPS fails, the load balancer automatically takes the traffic that was bound to that IPS and redistributes it to the remaining active IPSs. When the failed IPS comes back online, the load balancer returns the traffic to it.
Another possible mode of dealing with IPS failures that may be offered by some monitoring load balancers is a port loopback mode. In this situation, traffic simply bypasses a failed IPS as if that IPS were connected through a bypass switch. Yet another mod is N+M tool redundancy where one or more warm-standby IPSs are designated.

How does a Bypass Switch with Heartbeat work?

The Optical Bypass Switch with Heartbeat protects against power failure, physical link failure, and application failure on the in-line appliance. The switch checks the path through the in-line appliance by sending a packet every second from Monitor Port C. The switch validates the path when it receives the packet on the Monitor Port D. If the switch does not receive the packet as expected three times in a row, the switch automatically enters Bypass ON mode.


What is Twinax cabling?

Twinaxial cabling, or "Twinax", is a type of cable similar to coax, but with two inner conductors instead of one. Due to cost efficiency it is becoming common in modern very short range high speed differential signaling applications.
One of major applications includes Cisco Systems implementation coupled with SFP+ modules. This type of connection is able to transmit at 10 Gigabit full duplex speed over 10 meter distances. Moreover this setup offers 15 to 25 times lower transceiver latency than current 10GBASE-T CAT6/CAT6a/CAT7 cabling systems: 0.1 µs for Twinax with SFP+ versus 1.5 to 2.5 µs for current 10GBASE-T specification. The power draw of Twinax with SFP+ is around 0.1 watts, which is also much better than 4-8 watts for 10GBASE-T.
As always with cabling one of the consideration points is Bit error ratio or BER for short. Twinax copper cabling has BER better than 10-18 according to Cisco, and therefore is acceptable for applications in critical environments.

Technology Terms

Deep Packet Inspection (DPI)

Deep Packet Inspection is the ability to apply filters to a packet or multiple packets at any location, regardless of packet length or the location of the data to be matched within this packet. By applying filters based on DPI to traffic sent to a monitoring tool you are able to capture just the traffic of interest.

Talk to us

+49 6102 748-0