On Thu, 01 Jul 2010 19:24:38 -0400, Darren Bolding <darren@bolding.org> wrote:
Tap manufactures will be sure to tell you of many issues.
Well, there are issues on both sides... A true tap is an electronic mirror. It doesn't much care what the signal is; whatever it senses, it replicates. As the OP is talking about an aggrigating tap, he's already using a switch. I've used NetworkCritical, NetOptics, and several other "cheap" taps. None of them are even remotely cheap. That said, use an ethernet switch...
The main concern I would have is that it is possible for a switch to drop frames of a SPAN. Your decision might be influenced based on your application and the impact of such errors (billing, lawful intercept, forensics).
Yes, a switch can drop traffic (inbound and out.) But so can a tap. And so can the thing listening to the tap. At work I'm configuring an integrate Broadcom 10G switch (SoC) as a pure mirror. The ports wired to the system form a trunk group which is the destination for the mirror of the external ports. This is exactly what you'll find inside $$$$$ commercial multiport aggrigating "taps". (and btw, we've thrown over 1Mpps at it without issue; ~50% 64byte packets, the bane of any switch. (recorded) real world traffic, not some Spirent simulation.) --Ricky