• Introduction to TAP aggregation

Print Friendly, PDF & Email


Traditional approaches to network monitoring rely on the ongoing collection of generic, high level statistics such as interface utilization from a selection of network devices to detect trends or anomalies in service availability.

Such metrics are naturally limited in the level of granularity they can provide and often only provide a hint of real underlying network conditions without providing any visibility into per-application activity or performance.

Traditionally, reactive and localized packet capture would be employed to determine the cause of the performance degradation.  However the manual nature of needing to configure packet capture and mirroring and then physically attach to network devices in proximity to the problem makes problem solving laborious and at best reliant on a degree of luck. Moreover, many packet mirroring implementations are limited in scope (e.g. numbers of interfaces that can be monitored) or have some detrimental effect on the forwarding of regular production traffic reducing their utility for general purpose requirements.

Fortunately the advent of better device derived telemetry such as Arista’s own LANZ queue depth monitoring, high rate counters and automated packet capture as well as coarse grained flow analysis tools such as sFlow (RFC3176) have significantly improved the ability to isolate anomalous behavior, however the need to capture actual traffic hasn’t been completely eliminated.

Packet flow capture is required for a number of applications including:

  • Application performance monitoring
  • Threat detection/prevention
  • Capacity profiling/planning
  • Lawful interception/monitoring
  • Troubleshooting


The ideal solution is to provide always-on monitoring at multiple strategic points in the infrastructure – leveraging integrated packet mirroring where feasible or passive techniques such as passive inline optical taps as appropriate. Aggregating and filtering this traffic while providing selective distribution to one or more consuming tools is the job of the TapAggregator (also known as the Network Packet Broker, Matrix Switch, Aggregation Tap).

The most flexible Tap Aggregators, such as Arista’s 7150 platform, offer extensive functionality to combine and manipulate traffic including features such as:

  • Packet filtering based on well known L2,3,4 header fields
  • Deep Packet Inspection (DPI) – user customizable filters with the ability to inspect packet data beyond traditional headers
  • Packet truncation (slicing)
  • Replication of traffic across multiple tools
  • Load-sharing of traffic across a pool or cluster of tools
  • Identity marking of traffic for the purposes of classification
  • Removal of surplus headers
  • Support multiple mixed interface speeds and transceiver types
  • Support multiple sources (e.g. mirror ports and optical taps)

Arista’s 7150, 7280 and 7500 platforms are a unique breed of hybrid tap aggregation devices, allowing users to leverage both traditional networking capabilities and tap aggregation in the same physical unit. Combined with a robust, open and extensible OS with easy to use APIs and GUI they form a key building block in modern automated network monitoring strategy.


Get every new post on this blog delivered to your Inbox.

Join other followers: