A: Passive Network Taps are network taps that will cause absolutely no change in the state of the link if the tap loses power. In the event of power loss, network traffic will flow uninterrupted as long as the network itself has power. Datacom Systems taps designed for Gigabit fiber links, 10/100 only, T-1/E-1 and DS-3 are passive.
A: Active taps rely on a Fail-over system for power fault tolerance. If an Active tap loses power a set of copper relays will fall into a closed position to provide a passive bypass. When the passive bypass system is engaged a momentary interruption of link occurs. This can be kept to an absolute minimum by configuring the endpoint devices of the tapped link for PortFast or FastLearn.
A: There is no truly passive scheme for tapping copper Gigabit. Some manufacturers have enlisted internal batteries to hold the copper relay if the tap loses power. This is a dangerous gimmick, since the battery life comes into question to support an active production link. All current copper Gigabit capable taps are Active devices and rely on relay based power fault tolerance systems.
A: That depends on the model of tap that you use. If you are using one of our passive taps, such as the SS-100 the answer is no. Only our network taps that have the TCP reset function built-in will have their device visible on the network.
A: All of our network taps are designed with redundant, load balancing power supplies. Due to this design our taps will operate normally with only one power supply attached allowing for the failing power supply to be replaced or "Hot Swapped".
A: Our Active Taps use a relay-based fail over system. If the tap loses power or regains power the relay snaps into a position that will allow data to travel through the tap. The relay takes approximately 600 microseconds to either open or close. This is true regardless of how the port speed is set. The benefit of setting the tap to not autonegotiate is that your end point devices will establish link with each other more quickly once the relay is in place. It is also possible that Spanning Tree will recalculate upon the reconnection of the link. This delay can be minimized by setting "Portfast" or "Fastlearn" on the end point devices.
A: Intrusion Detection Systems (IDS) may have an option to use a feature known as “Active Response” when malicious traffic is detected. If an attacker uses TCP sessions, they can be reset by RST (Reset) packets that are sent to reset one or both hosts in a session from the IDS. In the case of UDP, a session can be broken by sending various ICMP packets to the host from the IDS box.
In some cases the IDS may need to use the monitoring NIC for this purpose. Enabling a Bi-directional traffic path in the tap allows the RST packets to renter the network through a tapped copper link. In the case of a tapped fiber link the directional characteristics of fiber taps will not allow this. The “any-to-any” feature of Datacom Systems configurable taps allows the RST packets to be sent out any available extra Monitor port of the tap and enter the network via a local network switch.
Traffic injection is only done on copper based inline taps or bypass switches. Fiber taps do not allow traffic injection, based on their directional nature, they simply make a one way copy of traffic used for analysis.
A: In order to introduce traffic injection into the network, there must be an actual bidirectional physical connection between the tap's monitor ports and the link itself. For this reason neither passive copper taps nor fiber taps can support bi-directional traffic or can be used with traffic injection.
A: Auto-negotiation and speed sensing allows the port of a network device to automatically detect the speed and duplex setting of the link (10/100/1000 and half or full duplex) and negotiate link with the connected device.
If two Auto-enabled devices fail to properly establish link they will typically default to a lower speed half duplex setting - serious performance issues on the link result. Also, if an Auto enabled device is connected to a device with fixed settings they will sometimes initially establish link but may fail to re-establish link if a port goes up and down or if endpoints reboot.
A: All network hardware, no matter how reliable, must be considered as a device that could malfunction. Network architects will assess the mission critical nature of any given link, what redundant or alternate data paths exist, and how service might be impacted if a service window were required to replace a device in that link.
In some cases an in-line device that has multiple links passing through it and may be an appropriate choice. But a more conservative design might dictate that no in-line device should ever tap more than one link – thereby eliminating the possibility that two links might ever be impacted if such a device had to be replaced. The most conservative or lowest risk designs may even require that the tapping be done by a non-powered Physical Layer device such as a simple fiber tap and the task of aggregating the duplex data streams and making multiple copies for the tools be handled by a separate device.
There is no right or wrong answer for such question – it will be determined by the individual circumstances and priorities of the organization – but such issues should be considered.
A: That depends on the model of tap that you use and how it is configured. If you are using a truly passive tap, such as a fiber tap the answer is no. Gigabit capable copper taps that are configurable can be set up by the user to allow bi-directional traffic back onto the link. The monitoring tool will be visible only if the tap has a Bi-directional traffic path intentionally configured to allow this. The default configuration of these taps has bidirectional traffic disabled by default for security reasons. It can be changed only by an administrator logged in via Superuser mode.
A: Yes - all products include two (2) redundant power supplies with the initial purchase, and the devices are designed to run solely on one power supply. Additional power supplies may be purchased seperately.
A: The optional AC Power Supply model RPS-12-5-AC addresses this need. The 1U rack mountable chassis is equipped with two load sharing hot-swappable power supplies and contains 24 lead power connections to provide dual redundant power for up to 12 Datacom Systems devices. Models such as the SS-1204BT-BT-S, VS-1208BT-S and 10/100/1000-TAP may be redundantly powered by the RPS-12-5 which is available with both AC and DC inputs.
A: Aggregation Taps are network taps that can combine the copies of data from both sides of one or more full duplex links and send the "aggregated" copy of the entire transmission to a connected monitoring device. That receives it on a single capture/monitoring NIC. Datacom Systems aggregation taps are all in the product family known as SINGLEstream™.
A: Traditional full duplex taps provide a dual stream of non-aggregated output – one monitor port for each side of the conversation. This requires use of “dual receive” devices, which have two separate monitor cards and combine the data streams after receiving it. Protocol analyzers, probes, and intrusion detection systems (IDS) of this variety are more expensive and are less common in today’s networks.
Many of the most widely used packet sniffer and IDS tools are based, respectively, on the open source Wireshark and Snort products - neither of which supports receiving on separate NICs and recombining the data. The SINGLEstream™ tap can combine the bi-directional traffic from a full duplex conversation into a single data stream, thus allows such tools devices with half duplex single receive monitor cards to be used in-line on full duplex links.
A: Yes. Datacom Systems SS-1200, SS-2200 and SS-4200 series taps can be configured by the user to provide either type of output or on the higher port density models can even provide both simultaneously.
An additional benefit of this design is the capability for the tap to be reconfigured to accommodate growth in utilization. These taps can initially be deployed as aggregation taps but when utilization spikes begin to dictate the addition of a monitor card to the tool and a need for non-aggregated output - they can be reconfigured by the user to provide non-aggregated output.
A: In many network environments it is desirable and often necessary to have an IDSdevice monitoring a on a 24x7 basis. Additional monitor ports allow a protocol analyzeror other network management tools to access the same link on a permanent or as needed basis. This eliminates contention for access to the data. The extra monitor ports also allow redundant devices to be connected to the same link as a failsafe measure to prevent the loss of data in case one of the connected devices has problems or needs to be updated.
A: Although ideal for Ethernet links where the total utilization is under 50%, theSINGLEstream™ Aggregation Tap may be used on any full duplex Ethernet link. The most likely locations on the network to deploy a link aggregation tap will be those in which probes or IDS devices need 24x7 visibility. These include the links between switches and critical servers, full duplex connections between routers and firewalls, and links between firewalls and a demilitarized zone (DMZ).
A: Yes – the output of a link aggregation tap may be connected to a matrix switch in exactly the manner as a SPAN port or shared media hub is connected.
A: The SINGLEstream™ Link Aggregation Tap is completely non-intrusive and lets all data pass through the network untouched. However, it only sends data from Layers 3-7 to the devices connected on the tap ports. Security devices are usually unconcerned with Layer 1 and Layer 2 traffic or unable to process it. As such, most all security devices discard Layer 1 and Layer 2 data anyway. Even protocol analyzers and network probes primarily concentrate on Layers 3-7 and might also be unable to process Layer 1 and Layer 2 data unless equipped with special software and hardware. In the areas of the network where the SINGLEstream™ Link Aggregation Tap will most likely be used, Layer 1 and Layer 2 traffic are even less of a concern. Any customer who is used to traditional network monitoring or analysis using SPAN ports is already used to working exclusively with Layers 3-7. However, unlike SPAN Ports, the SINGLEstream™ Link Aggregation Tap is able to forward VLAN tagging information.
A: A Network Packet Broker (NPB) or Network Monitoring Switch is a network device that acts like a network patch panel, but with the ability to aggregate and copy traffic to one or more ports. NPBs can combine data from multiple ethernet network segments into one or more aggregated streams of data, perform port steering, and regenerate ports, so that multiple copies of data are available for multiple tools. Some models have packet filtering capability.
NPBs are not designed to be inline devices, they receive their network traffic from two (2) different types of source. Most often, customers deploy taps on their network links which are inline devices that make a copy of network traffic. That copy is sent from the tap into the NPB. Some solutions use mirror ports or SPANs to collect traffic from the network. Mirror ports are connected into Network Monitoring Switch for aggregation or regeneration (copies). NPBs are not inline devices, but are referred to as out of band devices, since they work with copies of network traffic from a tap or mirror port.
VERSAstream™ is Datacom Systems brand name for Network Packet Brokers or Network Monitoring Switches. These two terms are interchangeable.
Many solutions connect a VERSAstream™ to an intrusion detection system, protocol analyzer, or network probe. These devices can receive the aggregated data with just one network interface card (NIC). Network and security personnel are then able to monitor several network links simultaneously with as little as one monitoring tool. In many environments there are multiple areas of interest at the access layer or network edge that have either lower utilization or use lower speed data sources.
TheVERSAstream™ allows these data sources to be aggregated together and monitored by a single high speed or high capacity tool instead of multiple lower speed legacy tools. This reduces the overall number of tools needed and dramatically reduces the rack space required, while also lowering ongoing support and maintenance costs for monitoring tool software and hardware.
A: The VERSAstream™ is designed to receive traffic from an external tap or SPAN. It aggregates or copies network traffic to one or more ports.
A: Ports can be designated as inputs or output only, or both. Traffic can be steered to any other port. The connection can be configured so that traffic is either one way, or two way between ports. Full duplex configuration must be configured in each direction. One way traffic is usually preferred for most analysis applications, but sometimes two way traffic is necessary.
A: There is some latency when packet copies are aggregated and/or regenerated by the VERSAstream™; contact your Datacom Systems account representative or authorized partner for more information.
A: Typically the network edge (between internal routers and switches). The VERSAstream™ is available in a wide variety of media combinations and can accept inputs from 100, 1000 M and 10G devices, so it can be inserted into any copper or fiber ethernet environment, depending on the model. The VERSAstream™ will allow multiple devices to monitor the same links, so anywhere contention is an issue will benefit from this product, typically security environments or mixed environments using network analyzers and intrusion detection systems.
A: Yes. A variety of speeds and ports are available. Many of our devices have SFP+ or SFP ports for 10G and 1G capability.
A: No problem. VERSAstream™ models are available with a mix of copper and SFP ports also with all SFP based ports to allow complete flexibility for mixing media types.
A: The VERSAstream™ can accept and aggregate up to 1000Mbps of data sustained at line rate.
In a Gigabit Ethernet or slower environment, it is possible to exceed 100% utilization if more than 1000Mbps of input is received at one time. To prevent exceeding 100% utilization, the sum of all the ports should never exceed 1000 Mbps, which can be achieved by connecting fewer devices to the VERSAstream™, pre-filtering the data, or by reducing the traffic load of the attached network segments. The VERSAstream™ also includes buffer memory to account for utilization spikes.
A: Datacom Systems recommends matching the aggregate total of input data carefully to ensure that the throughput capacity of the tool is not exceeded. The flexible “any-to-any” feature of the VERSAstream™ allows the user to reconfigure and change the ratio of input ports to aggregated output ports. As utilization levels on the network increase over time the inputs can be aggregated in smaller groups and additional monitor ports added to the tools to accommodate this growth. If sustained high utilization rates occur as the result of aggregation or bursts in traffic, consider a VERSAstream™ model with packet filtering or load balancing capability, such as the VS-1212-F or VS-1224-F.
A: Since our devices are standards compliant, you can connect any device to our products. The VERSAstream™ is platform independent and will accept connections from analyzers, IDS, IPS, and probes from any manufacturer with the appropriate port media and interface.
A: Deploy a VERSAstream™ (by connecting it to network taps and SPAN ports throughout the network), to collect traffic from various points in the network can be aggregated into a single stream of data, so that a network analyzer or intrusion detection system can see the end-to-end path of packets as they travel through the network.
A: Devices that support a serial connection will ship with a 72 inch DB9M-DB9F serial cable. Managed devices ship with a 32 inch RJ45 ethernet cable.
Pin 2 is used to receive data | Pin 3 is used to transmit data | Pin 5 is used for signal ground
A: The distance of the control cable is limited by the distance the network analyzer or monitoring device can be from the device. There are two connections between the switch and the analyzer - the Control cable, which connects to the COM port for Serial Control purposes, and the Common cable, which provides a data connection to the monitor card for the topology being analyzed. The total cabling distance is determined by calculating the total length of all cables (the primary cables, daisy chain cables and any additional cables between the matrixes switch Network ports and the data access points such as SPAN ports). When all relevant cable lengths are added together the sum must be equal to or less than the maximum allowable distance for the topology in use (e.g. the Common cables, Daisy cables and cables from 4X16SP-1000BT to SPAN port must not exceed 100 meters).
A: Connections to the female ports on a Datacom Systems devices are made with customer provided patch cables appropriate for the specific network environment.