About TAP Aggregation
Network TAPs
You can use various methods to monitor packets. One method uses physical hardware test access points (TAPs).
Network TAPs can be extremely useful in monitoring traffic because they provide direct inline access to data that flows through the network. In many cases, a third party monitors the traffic between two points in the network. If the network between points A and B consists of a physical cable, a network TAP might be the best way to accomplish this monitoring. The network TAP has at least three ports: an A port, a B port, and a monitor port. A TAP inserted between the A and B ports passes all traffic through unimpeded, but it also copies that same data to its monitor port, which could enable a third party to listen.
TAPs have the following benefits:
-
They can handle full-duplex data transmission.
-
They are unobtrusive and not detectable by the network (with no physical or logical addressing).
-
Some TAPs support full inline power with the capability to build a distributed TAP.
If you are trying to gain visibility into the server-to-server data communication at the edge or virtual edge of your network or to provide a copy of traffic to the Intrusion Prevention System (IPS) appliance at the Internet edge of your network, you can use network TAPs nearly anywhere in the environment. However, this deployment can add significant costs, operation complexities, and cabling challenges in a large-scale environment.
TAP Aggregation
TAP aggregation is an alternative solution to help with monitoring and troubleshooting tasks in the data center. It works by designating a device to allow the aggregation of multiple test access points (TAPs) and to connect to multiple monitoring systems. TAP aggregation switches link all of the monitoring devices to specific points in the network fabric that handle the packets that need to be observed.
In the TAP aggregation switch solution, a Cisco Nexus 9000 Series switch is connected to various points in the network at which packet monitoring is advantageous. From each network element, you can use switched port analyzer (SPAN) ports or optical TAPs to send traffic flows directly to this TAP aggregation switch. The TAP aggregation switch is directly connected to all of the analysis tools used to monitor the events in the network fabric. These monitoring devices include remote monitor (RMON) probes, application firewalls, IPS devices, and packet sniffer tools.
You can configure the TAP aggregation switch to filter specific traffic and redirect it to one or more tools. In order to redirect the traffic to multiple interfaces, a multicast group is created internally on the switch, and the interfaces that are part of the redirect list are added as member ports. When an access control list (ACL) policy with the redirect action is applied to an interface, the traffic matching the ACL rule is redirected to the internal multicast group that is created.
Guidelines and Limitations for TAP Aggregation
Note |
For scale information, see the release-specific Cisco Nexus 9000 Series NX-OS Verified Scalability Guide. |
TAP aggregation has the following guidelines and limitations:
-
TAP aggregation is supported for all Cisco Nexus 9000 series switches and the 3164Q, 31128PQ, 3232C, and 3264Q switches. It is not supported for Cisco Nexus 9700-EX and 9700-FX line cards until Cisco NX-OS Release 7.0(3)I7(2).
-
TAP aggregation is not supported for Cisco Nexus 9508 switches with an 9732C-EX line card.
-
Cisco Nexus 9700-EX and 9700-FX line cards support TAP aggregation with IPv4, IPv6, and MAC ACLs.
-
TAP aggregation is supported only on switch ports and only in the ingress direction.
-
TAP aggregation is supported on 100G ports.
-
Only Layer 2 interfaces support the TAP aggregation policy. You can apply the policy to a Layer 3 interface, but the policy becomes nonfunctional.
-
The redirect port must be part of the same VLAN as the source (TAP) port.
-
Each rule must be associated with only one unique match criterion.
-
When you enter a list of interfaces for the TAP aggregation policy, you must separate them with commas but no spaces. For example, port-channel50,ethernet1/12,port-channel20.
-
When you specify target interfaces in a policy, make sure that you enter the whole interface type and not an abbreviated version. For example, make sure that you enter ethernet1/1 instead of eth1/1 and port-channel50 instead of po50.
-
Beginning with Cisco NX-OS Release 7.0(3)I5(2), TAP aggregation supports IPv4 ACLs with UDF-based match for Cisco Nexus 9200, 9300, and 9300-EX platform switches.