Gigabit CopperAggregator nTAPUser Guide

Notice

Every effort was made to ensure that the information in this manual was accurate at the time of printing. However, informationis subject to change without notice, and Viavi reserves the right to provide an addendum to this manual with information notavailable at the time that this manual was created.

Copyright

© Copyright 2016 Viavi Solutions Inc. All rights reserved. Viavi and the Viavi logo are trademarks of Viavi Solutions Inc. (“Viavi”). Allother trademarks and registered trademarks are the property of their respective owners. No part of this guide may be reproducedor transmitted, electronically or otherwise, without written permission of the publisher.

Copyright release

Reproduction and distribution of this guide is authorized for Government purposes only.

Terms and conditions

Specifications, terms, and conditions are subject to change without notice. The provision of hardware, services, and/or softwareare subject to Viavi standard terms and conditions, available at www.viavisolutions.com/terms.

Specifications, terms, and conditions are subject to change without notice. All trademarks and registered trademarks are theproperty of their respective companies.

Federal Communications Commission (FCC) Notice

This product was tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules.These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in acommercial environment. This product generates, uses, and can radiate radio frequency energy and, if not installed and used inaccordance with the instruction manual, may cause harmful interference to radio communications. Operation of this product in aresidential area is likely to cause harmful interference, in which case you will be required to correct the interference at your ownexpense.

The authority to operate this product is conditioned by the requirements that no modifications be made to the equipment unlessthe changes or modifications are expressly approved by Viavi.

Laser compliance

This device is a class 1 laser product.

Industry Canada Requirements

This Class A digital apparatus complies with Canadian ICES-003.

Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.

WEEE and Battery Directive Compliance

Viavi has established processes in compliance with the Waste Electrical and Electronic Equipment (WEEE) Directive, 2002/96/EC,and the Battery Directive, 2006/66/EC.

This product, and the batteries used to power the product, should not be disposed of as unsorted municipal waste and should becollected separately and disposed of according to your national regulations. In the European Union, all equipment and batteriespurchased from Viavi after 2005-08-13 can be returned for disposal at the end of its useful life. Viavi will ensure that all wasteequipment and batteries returned are reused, recycled, or disposed of in an environmentally friendly manner, and in compliancewith all applicable national and international waste legislation.

It is the responsibility of the equipment owner to return equipment and batteries to Viavi for appropriate disposal. If theequipment or battery was imported by a reseller whose name or logo is marked on the equipment or battery, then the ownershould return the equipment or battery directly to the reseller.

Instructions for returning waste equipment and batteries to Viavi can be found in the Environmental section of Viavi web siteat http://www.viavisolutions.com. If you have questions concerning disposal of your equipment or batteries, contact Viavi WEEEProgram Management team at WEEE.EMEA@viavisolutions.com.

Technical Support

North America 1.844.GO VIAVI / 1.844.468.4284Latin America +52 55 5543 6644EMEA +49 7121 862273APAC +1 512 201 6534All Other Regions viavisolutions.com/contactsemail customer.care@viavisolutions.com

Support hours are 7:00 A.M to 7:00 P.M. (local time for each office).

Table of Contents

Chapter 1: Getting started.................................................................................................................. 5

Gigabit Copper Aggregator nTAP Overview............................................................................................. 5

Security, convenience, and dependability.................................................................................................5

Chapter 2: Why choose a TAP or SPAN port...................................................................................... 6

Choosing between a SPAN, Aggregator, or full-duplex TAP................................................................... 6

Deciding whether to use a TAP or a SPAN/mirror port....................................................................... 8

When to use a SPAN/mirror port.........................................................................................................10

When to use the Aggregator TAP........................................................................................................12

When to use a full-duplex TAP.............................................................................................................14

Chapter 3: Features............................................................................................................................15

Features....................................................................................................................................................... 15

Chapter 4: Standard and Optional Parts......................................................................................... 16

Parts..............................................................................................................................................................16

Chapter 5: Gigabit Copper Aggregator nTAP Installation..............................................................17

Installing...................................................................................................................................................... 17

Chapter 6: LEDs and connection sequence..................................................................................... 19

Chapter 7: Technical Specifications................................................................................................. 21

Technical specifications.............................................................................................................................21

Chapter 8: Troubleshooting..............................................................................................................23

What happens if my TAP loses power?....................................................................................................23

What latency does a TAP create?............................................................................................................. 23

Are the analyzer ports “send only”?.........................................................................................................23

Not seeing traffic at the analyzer from the TAP..................................................................................... 24

Can I daisy chain an Aggregator TAP?.................................................................................................... 24

Can I “team” or bond NICs in my analyzer?............................................................................................24

How do I connect my failover devices?....................................................................................................26

Choosing crossover or straight-through cables..................................................................................... 26

4 Table of Contents (23 Jan 2016) — Archive/Non-authoritative version

I am seeing CRC errors on my network................................................................................................... 26

VLAN tags not visible at the analyzer......................................................................................................27

Memory........................................................................................................................................................ 27

Maximum frame size..................................................................................................................................27

Understanding why Link B is active when Link A is offline................................................................... 27

Chapter 9: FCC compliance statement.............................................................................................29

Index....................................................................................................................................................30

1

Chapter 1: Getting started

Gigabit Copper Aggregator nTAP OverviewThank you for purchasing the Gigabit Copper Aggregator nTAP. Your new productis the most robust, secure, and convenient mechanism for network analyzers andsimilar devices to copy data streams from high-capacity network links.

A network Test Access Port (TAP) provides access to the data streams passingthrough a high-speed, full-duplex network link (typically between a networkdevice and a switch). The TAP copies both sides of a full-duplex link (copper oroptical, depending on type of TAP), and sends the copied data streams to ananalyzer, probe, intrusion detection system (IDS) or any other analysis device.There are different TAP models available to monitor both copper and opticallinks.

Security, convenience, and dependabilityThe security and convenience of a TAP makes it preferable to inline connectionsfor network analysis and intrusion detection and prevention (IDS/IPS)applications.

Because a TAP has no address on the network, the TAP and the analyzerconnected to it cannot be the target of a hack or virus attack. TAPs areeconomical to install, allowing you to leave them permanently deployed. Thisallows you to connect and disconnect the analysis device as needed withoutbreaking the full-duplex connection, much like plugging in an electrical device.

A TAP is also preferable to using a switch’s SPAN/mirror port to copy the datastream. Unlike the SPAN/mirror port, a TAP will not filter any SPAN/mirror port isa half-duplex link (that is, a send-only “simplex” data stream), it has the capacityto transmit only half of a fully-saturated link. Additionally, a TAP does not useany of the switch’s CPU resources.

2

Chapter 2: Why choosea TAP or SPAN port

Choosing between a SPAN, Aggregator, or full-duplexTAP

Whether you use a SPAN/mirror port, aggregator TAP, or full-duplex TAP dependson the saturation level of the link (up to 200% of link speed when both sides arecombined) you want to monitor and the level of visibility you require.

There are numerous ways to access full-duplex traffic on a network for analysis:SPAN/mirror ports, Aggregator TAPs, or full-duplex TAPs are the three mostcommon.

Each approach has advantages and disadvantages. SPANs and Aggregator TAPsare designed to work with a standard (and usually less expensive) networkcard on the analysis device, but their limitations make them less than ideal forsituations where it is necessary to guarantee the visibility of every packet on thewire.

A full-duplex TAP is the ideal solution for monitoring full-duplex networksutilized at more than 50 percent (100% when both sides are combined), but itsdesign requires that the analyzer be a specialized device with a dual-receivecapture interface that is capable of capturing the TAP’s output, providingaccurate timing, and recombining the data for analysis.

Table 1 list the advantages and disadvantages of three common methods ofaccessing traffic from full-duplex networks for analysis, monitoring, or forensics:

Table 1: Methods of accessing traffic Aggregator SPAN/Mirror Full-DuplexRequires power X X X1

Choosing between a SPAN, Aggregator, or full-duplex TAPChapter 2: Why choose a TAP or SPAN port 7

Aggregator SPAN/Mirror Full-Duplex

Better2 protectionagainst droppedpackets

X X

Uses single-receivecapture card

X X

Uses internal bufferto mitigate trafficspikes

X3

Suitable fornetworks with lightto moderate trafficwith occasionalspikes

X

Passes OSI Layer 1& 2 errors

X X

Not Addressable(cannot be hacked)

X X

Requires dual-receive capturecard

X

Ideal for heavytraffic/criticalnetworks

X

Suitable fornetworks with lightto moderate traffic

X

Remotelyconfigurable

X

1.  The Optical TAP does not require power, but the Copper TAP does.2.  Better protection against dropping packets than SPAN/mirror.3.  Although the Aggregator TAP has an internal buffer that mitigates spikes in traffic, when thebuffer itself is full, the new packets are dropped until the output of the buffer can catch up.

Whether you are monitoring a network for security threats or capturing anddecoding packets while troubleshooting, you need a reliable way to see thenetwork traffic. The appropriate TAP for capturing full-duplex data for analysisdepends on the rates of traffic you must monitor, and what level of visibility yourequire.

♦ Attaching a monitoring or analysis device to a switch’s analyzer port(SPAN/mirror port) to monitor a full-duplex link.

Because a SPAN/mirror port is a send-only simplex stream of data thereis a potential bottleneck when trying to mirror both sides of a full-duplexlink to the analyzer’s single receive channel. When to use a SPAN/mirrorport.

♦ Attaching a monitoring or analysis device to an Aggregator TAP insertedinto a full-duplex link.

As with a SPAN, the Aggregator TAP copies both sides of a full-duplex linkto the analyzer’s single receive channel. It uses buffering which makes itsomewhat better able to keep up with higher traffic levels than a SPAN.

Choosing between a SPAN, Aggregator, or full-duplex TAP8 Gigabit Copper Aggregator nTAP (23 Jan 2016) — Archive/Non-authoritative version

For more details, see When to use the Aggregator TAP and Choosing theAggregator TAP buffer size.

♦ Attaching a dual-receive monitoring or analysis device to a full-duplex TAPinserted into a full-duplex link.

Dual-receive means that the network card on the analysis device has tworeceive channels rather than the transmit and receive channels associatedwith a standard full-duplex link. For more details, see When to use a full-duplex TAP.

Deciding whether to use a TAP or a SPAN/mirror portSPANs are great for proof of concepts and lightly used links. TAPs ensure you getall of the traffic, including on high speed links, and physical layer errors.

A TAP is a passive splitting mechanism installed between a device of interest andthe network. A TAP copies the incoming network traffic and splits it. It passes thenetwork traffic to the network and sends a copy of that traffic (both send andreceive) to a monitoring device in real time.

A SPAN/mirror port on a switch that copies traffic on a port or group of portsand sends the copied data to an analyzer. By its very nature it is half-duplex,which means that it cannot send all of the send and receive traffic it sees iftraffic exceeds 50% of the bandwidth. Moreover, switch manufacturers designtheir products so that the SPAN/mirror port has a lower priority in the switchoperating system. Therefore, one of the first things to stop working when theswitch gets busy is the SPAN/mirror port traffic flow. A SPAN/mirror port is finefor connections to stations at the edge of your network, but may be unable tokeep up with the higher traffic volumes on your full duplex links at the core ofyour network. It is convenient for a proof of concept, but cannot pass physicallayer errors (poorly formed packets, runts, CRCs) to the analyzer and give you allof the visibility you need for Gigabit, 10 Gigabit or 40 Gigabit networks, but aTAP will.

Most enterprise switches copy the activity of one or more ports through a SwitchPort Analyzer (SPAN) port, also known as a mirror port. An analysis device canthen be attached to the SPAN port to access network traffic.

There are four common ways to get full duplex data to a probe or analyzer:

♦ Connect the probe to a SPAN/mirror port. A SPAN/mirror port can providea copy of all designated traffic on the switch in real time, assumingbandwidth utilization is below 50% of full capacity.

♦ Deploy an Aggregator TAP on critical full duplex links.♦ Deploy a full duplex TAP on critical links to capture traffic. For some

types of traffic, such as full duplex gigabit links, TAPs are the only way toguarantee complete analysis, especially when traffic levels are high.

♦ Traffic aggregators, like the Observer Matrix, allow you to copy and filterfull duplex traffic. Because full-duplex Ethernet links lies at the core ofmost corporate networks, ensuring completely transparent analyzer accessto those links is critical.

Choosing between a SPAN, Aggregator, or full-duplex TAPChapter 2: Why choose a TAP or SPAN port 9

 

Figure 1: TAP versus SPAN

 

Table 2: TAP versus SPAN TAP SPAN/mirror portPros Greatly reduces the risk of

dropped packetsLow cost

Monitoring device receivesall packets, including physicalerrors

Remotely configurable fromany system connected to theswitch

Provides full visibility into full-duplex networks

Able to copy intra-switchtraffic

Cons Analysis device may needdual-receive capture interfaceif you are using a full-duplexTAP (does not apply to theAggregator TAP family)

Cannot handle heavily utilizedfull-duplex links withoutdropping packets

Additional cost with purchaseof TAP hardware

Filters out physical layer errors,hampering some types ofanalysis

Cannot monitor intra-switchtraffic

Burden placed on a switch’sCPU to copy all data passingthrough ports

Switch puts lower priority onSPAN port data than regularport-to-port data

Can change the timing offrame interaction alteringresponse times

Bottom line A TAP is ideal when analysisrequires seeing all the traffic,including physical-layer errors.A TAP is required if networkutilization is moderate toheavy. The Aggregator TAPcan be used as an effectivecompromise between a TAPand SPAN port, deliveringsome of the advantagesof a TAP and none of thedisadvantages of a SPAN port.

A SPAN port performs wellon low-utilized networks orwhen analysis is not affectedby dropped packets.

Choosing between a SPAN, Aggregator, or full-duplex TAP10 Gigabit Copper Aggregator nTAP (23 Jan 2016) — Archive/Non-authoritative version

When to use a SPAN/mirror portThe advantage of using a SPAN/mirror port is its cost, as a SPAN/mirror port isincluded for free with nearly every managed switch. A SPAN/mirror port is alsoremotely configurable, allowing you to change which ports are mirrored from theswitch management console.

There are some limitations in using a SPAN/mirror port. Limitations of a SPAN/mirror port stem from the aggregation necessary to merge full-duplex networktraffic into a single receive channel. For examples, when traffic levels on thenetwork exceed the output capability of the SPAN/mirror port, the switch isforced to drop packets. Another reason that a SPAN/mirror port may not be theright choice is because Layer 1 and 2 errors are not mirrored and therefore neverreach the analyzer. When performing network troubleshooting, seeing theseerrors can be important.

When monitoring with a SPAN/mirror port on a switch, the switch does threethings:

♦ Copies both the send and receive data channels♦ Reconstructs an integrated data stream from the two channels♦ Routes the integrated signal to the send channel of the SPAN/mirror port

Each of these activities burdens the switch’s internal processor. These demandson the switch’s CPU have implications for both your monitoring equipment andgeneral network performance. Using a SPAN/mirror port to capture networktraffic for analysis presents the following risks:

♦ As total bandwidth usage for both channels exceeds the capacity of theoutbound link to the analyzer, the excess traffic is dropped from theanalyzer stream. There simply is not enough bandwidth to transmit bothsides of the full-duplex traffic across a single standard interface.

♦ The switch’s CPU must act as both a network switch and a packet-copier.The switch’s CPU must also integrate the two data streams (send andreceive) together correctly. Both packet copy/re-direction and channelintegration is affected by switch load. This means the SPAN/mirror portmay not deliver accurate captures when the switch is under heavy load.Monitoring a 10/100 network through a gigabit SPAN/mirror port andanalyzer does not alleviate these concerns. Also, there is no notificationwhen the SPAN/mirror port is dropping packets or delivering inaccuratetime stamps.

A SPAN/mirror port can deliver satisfactory results when used to monitor lightlyused, non-critical networks. If network utilization exceeds the capacity of theoutbound (analyzer) link, packet loss results—which invalidates many types ofanalysis, and makes monitoring for certain kinds of network activity impractical.For example, you might miss a virus signature because packets are beingdropped. When analyzing a transaction or connection problem, the analyzer maydetect problems where none exist because expected packets are being droppedby the SPAN/mirror port. Hardware and media errors will also be impossible totroubleshoot through a SPAN/mirror port, as these errors are not mirrored to theanalyzer.

Choosing between a SPAN, Aggregator, or full-duplex TAPChapter 2: Why choose a TAP or SPAN port 11

Cloning your SPAN/mirror portYou can still access your SPAN/mirror port even if all of your SPAN/mirror portson your switch are used. This is fairly common, and you can use a TAP to producetwo copies of the SPAN/mirror port.

By cloning a SPAN/mirror port you get the benefits of a duplicate copy of thetraffic and no security risk. 

Figure 2: Cloning your SPAN/mirror port

 

Joining SPAN/mirror portsIf you have a primary switch and a failover switch, you can connect both of themto the Aggregator TAP. Connect one of them to Link A and the other to Link B.

It does not matter whether the primary switch is connected to Link A or Link B,and you do not need to know which one is “live.” The Aggregator TAP joins theactive and inactive SPAN/mirror port session together and sends the result tothe analyzer. Regardless which switch is primary, the Aggregator TAP sends theSPAN/mirror port data from that switch to the analyzers.

Choosing between a SPAN, Aggregator, or full-duplex TAP12 Gigabit Copper Aggregator nTAP (23 Jan 2016) — Archive/Non-authoritative version

 

Figure 3: Joining SPAN/mirror ports

 

When to use the Aggregator TAPThe Aggregator TAP offers a compromise between the SPAN/mirror port andfull-duplex TAP options. It costs more than a full-duplex TAP due to the addedcomplexity and memory requirements of its built-in buffer.

The Aggregator TAP does not require a specialized (and potentially moreexpensive) analyzer with a dual-receive capture interface. Like a full-duplex TAP,it is independent of the network, making it immune to security threats.

The Aggregator TAP includes an internal buffer to mitigate the bandwidthproblem associated with converging both sides of the full-duplex traffic from thenetwork into one side of the full-duplex link to the analyzer. The buffer is able tocache some spikes in network utilization, but the Aggregator TAP drops packetswhen the bursts of activity exceed its buffer capacity.

The Aggregator TAP is ideally suited to work with an analysis device with astandard, single-receive capture interface or NIC. This means that a laptop or astandard system can be deployed as an analyzer rather than the more expensivespecialized analyzers or appliances that are designed to accept full duplex trafficthrough a dual-receive capture interface.

Just like a SPAN/mirror port, the Aggregator TAP is ideal for a lightly usednetwork that occasionally has utilization peaks above the capture capacity of theanalyzer. Unlike a SPAN/mirror port, the Aggregator TAP will forward Layer 1 and2 errors to the analysis device.

Another advantage the Aggregator TAP has over a SPAN/mirror port session is itsinternal memory buffer. The memory buffer provides limited protection againstpacket loss, and if the network utilization does not regularly exceed the capacityof the analyzer’s capture card, an Aggregator TAP may be the right choice.

The appropriate solution for capturing full-duplex data for analysis dependson the rates of traffic you must monitor, and what level of visibility yourequire. When monitoring a lightly-used network, using a SPAN/mirror port orAggregator TAP to supply an analysis device with a standard NIC (i.e., single-receive) interface can be an economical choice. The Aggregator TAP can provide

Choosing between a SPAN, Aggregator, or full-duplex TAPChapter 2: Why choose a TAP or SPAN port 13

protection against packet loss, but if usage spikes exceed its buffer capacitybefore the link to the analyzer can catch up, the Aggregator TAP drops packets.

To monitor a critical, heavily utilized full-duplex link, a full-duplex TAP is the onlyalternative. Monitoring a full-duplex connection using a full-duplex TAP and ananalyzer with a dual-receive capture interface guarantees complete, full-duplexcapture for monitoring, analysis, and intrusion detection regardless of bandwidthsaturation.

Choosing the Aggregator TAP buffer sizeWith the understanding that the Aggregator TAP is designed for use on networklinks with low-to-moderate utilization, they do have their place. You should knowwhat your network utilization is before you decide to use the Aggregator TAP.

If your network utilization is too high, the Aggregator TAP may not be the correctsolution for you.

The internal buffer helps absorb traffic spikes of over 50% full-duplex bandwidthsaturation (100% when both data streams are combined), because the analyzer’ssingle receive interface is limited to line rate, and the amount of data on thenetwork under analysis can be two times the line rate. The data in the buffer isreleased when utilization drops to the point where the analyzer interface canmove both the “live” data plus the data released from the buffer. Packet loss isunavoidable if the utilization spikes exceed the capacity of the buffer. Packetloss occurs only to the analyzer. No traffic loss occurs between Link A (typically arouter, firewall, or server) and Link B (typically a switch).

To monitor links that are well over 50% utilization for minutes at a time, a full-duplex TAP may be a better choice.

After the buffer is full, the Aggregator TAP will drop packets. Use Figure 4 tochoose the best buffer size for your Aggregator TAP. The graph shows the buffersize and duration of traffic spikes that the buffer can absorb.

Note: The Link side and Analyzer side of the Aggregator TAP negotiate theirconnections independent of each other. This means that the Link side canbe at a speed slower than or up to the same speed as the Analyzer side.It cannot be faster than the Analyzer side. This is true whether you usea copper or optical connection to the analyzer. For instance, if your Linkside is at 10 Mb or 100 Mb and your analyzer connection is 1 Gb, the TAPsends data to the analyzer at 1 Gb, known as up-converting, and there is nochance of over-subscribing the buffer. If your Link side is 1 Gb, then yourconnection to the analyzer must also be 1 Gb. It cannot be 10 Mb or 100Mb, because the analyzer cannot receive the traffic from the Link side fastenough.

Choosing between a SPAN, Aggregator, or full-duplex TAP14 Gigabit Copper Aggregator nTAP (23 Jan 2016) — Archive/Non-authoritative version

 

Figure 4: Bandwidth utilization that a buffer can absorb on a gigabit network

 

When to use a full-duplex TAPA full-duplex TAP is the only option guaranteeing all of the network traffic makesit to the analysis device (including Layer 1 and 2 error information). Althoughthis can be the most expensive option, it is also the only option that guaranteescomplete accuracy when the network is highly saturated.

A full-duplex TAP is more complex and potentially expensive to implement, butwhere there is high network utilization and an importance to guarantee thecapture of “everything on the wire” along with errors from all network layers,a full-duplex TAP is the only choice. If the analysis requires a high level of datastream fidelity (for instance, looking for jitter in video or VoIP), only a full duplexTAP forwards the original data timing to the analyzer.

Note: A full-duplex TAP must be coupled with a probe or monitoring devicecapable of receiving both channels of a full-duplex signal and recombiningthe two channels into a single data stream for analysis.

A full-duplex TAP is a passive mechanism that is installed between two networkdevices. An Optical TAP is non-electronic (no power) and optically splits thesignal into two full-duplex signals. One signal maintains the network link, whilethe other is passed to an analyzer equipped with a dual-receive capture card. ACopper TAP performs the same function, but uses electronic circuitry to duplicatethe signals.

Because a full-duplex TAP copies both the send and receive channels from afull-duplex link to the analyzer (where the data is integrated), the analyzer canmonitor a full-duplex network at line rate—assuming the capture card in theanalyzer is capable.

All TAPs from Viavi, except the Aggregator TAP family, are full-duplex TAPs.

3

Chapter 3: Features

Features

 

Key features of the Gigabit Copper Aggregator nTAP include:

♦ Passive access without packet tampering or introducing a single point offailure

♦ All traffic (including errors) is passed from all OSI layers for analyzing♦ Enhanced security because the nTAP does not require or use an IP address,

making it undetectable compared to a SPAN♦ Allows you to connect and disconnect the analysis device as needed

without taking the network down♦ Fully IEEE 802.3 compliant♦ Fully RoHS compliant♦ Automatic link failover for devices that have an alternate path♦ Optional redundant power ensures maximum monitoring uptime♦ LEDs show power and link status♦ Front-mounted connectors make installation simple♦ Optional 19-inch 1U rack mount panel holds up to three nTAP

4

Chapter 4: Standard and Optional Parts

PartsThe Gigabit Copper Aggregator nTAP comes with several parts. If any part ismissing or damaged, contact Viavi immediately.

The Gigabit Copper Aggregator nTAP ships with the following items:

♦ Gigabit Copper Aggregator nTAP♦ Quick Reference Card♦ A/C power cord♦ Voltage auto-sensing universal power supply

Your kit may also contain optionally available parts (for instance, patch cables).

5

Chapter 5: Gigabit CopperAggregator nTAP Installation

InstallingPrerequisite(s):  

♦ Decide where to place the nTAP and physically mount it, if desired.Depending on the form factor purchased, this may be in a drive bay, rackmount bracket, or wherever it is most convenient.

♦ Keep the nTAP horizontal for efficient heat dissipation. 

The Copper TAP transmits the analyzer signals through a pair of 10/100/1000BaseT RJ-45 ports (or 10/100 BaseT if a 10/100 Copper TAP model).

When traffic comes in to Link A, two copies are made in the TAP. One copy is sentout Link B to the switch and the other copy is joined with a copy of the trafficfrom Link B and sent out the Analyzer AB ports to the analysis device(s). A similarthing happens with traffic that comes in Link B. Two copies are made. Due tohow the TAP is designed, it is not possible for traffic from the Analyzer side topass to the Link side.

Installing18 Gigabit Copper Aggregator nTAP (23 Jan 2016) — Archive/Non-authoritative version

 

Figure 5: Cabling the Gigabit Copper Aggregator nTAP

 

Caution: Before you temporarily break the link between the device ofinterest and the network, you may want to shut down access to that deviceand notify users of the down time.

1. Ensure that power is connected to the nTAP. You can provide power to oneor both power supply sockets on the back panel of each nTAP. Connectingboth sockets to different external power sources provides fail-safe powerredundancy for the Analyzer side.

The network pass-through (Link side) remains unaffected even if powerto the nTAP is interrupted. If you do lose power, you will temporarily loseconnectivity while the devices renegotiate their connection. The analyzer sidewill be down until power is reestablished, and during this time some packetsmay be dropped.

2. Disconnect the cable from your device (typically a switch) and connect it toLink B. You want to connect Link B first because it negotiates its networkspeed first, and Link A then must use the same speed as Link B. If your linkis part of a failover or redundancy arrangement, then connect the failoverdevice to Link B.

3. Connect your network device (or primary device in a failover arrangement) toLink A.

4. Connect the Analyzer ports on the TAP to the receiving ports of themonitoring device.

See also: How do I connect my failover devices?.

Note: The role of the buffer is to absorb traffic spikes of over 50% full-duplex bandwidth saturation (100% with both sides combined), because theanalyzer’s single-receive interface cannot receive the traffic fast enough tokeep up at line rate. For more details about the Aggregator TAP’s buffer, seeChoosing the Aggregator TAP buffer size.

Connect your device of interest (for instance, switch, router, etc.) to the GigabitCopper Aggregator nTAP using standard Ethernet cables with RJ-45 connectors.

6

Chapter 6: LEDs andconnection sequence

When turned on, the TAP performs a sequence of steps to determine whether itslink ports are connected to any devices, and what speeds and other capabilitiesthose devices have. The blinking pattern of the LEDs indicate which step of theconnection process the TAP is performing. The duration of each state depends onthe type of equipment attached to each port of the TAP. Here are the connectionsteps, listed in the order they occur:

1. Capabilities search. Both link ports/connections on the TAP are attemptingto attach to their respective devices and determine a common speed andother capabilities. The LED pattern is that the Speed LEDs flash (slower) andthe Link LEDs flicker (faster).

2. Connecting. The link parameters are attempting to connect using theparameters determined during the capabilities search. The LED pattern is thatthe TAP shows the connection speed while the Link LEDs continue to flicker.

3. Connected. Both link ports/connections are connected to the link partners ata common speed. The Speed LED shows connection speed. The Link LEDs lightsteadily (idle) or flicker depending on whether there is any traffic present. If aLink LED is unlit, there is no functioning device connected to that port.

When the Gigabit Copper Aggregator nTAP experiences power loss, the followingoccurs:

♦ If you are using a redundant power supply or the TAP is attached to anuninterruptible power supply (UPS), it provides power with no loss ofnetwork connection.

♦ If you are not using a redundant power supply or UPS, or power to bothpower supplies is lost, then:

● The Analyzer ports stop working and the analysis device(s) connectedto the TAP will go “dark.”

20 Gigabit Copper Aggregator nTAP (23 Jan 2016) — Archive/Non-authoritative version

● The TAP continues to pass data between the network devicesconnected to it (firewall/router/switch to server/switch). In this sensethe TAP is passive.

● The network devices connected to the TAP on the Link ports mustrenegotiate a connection with each other because the TAP has droppedout. This may take a few seconds.

Error conditions are shown by the LEDs for approximately 10 seconds, after whichthe TAP resets itself (goes back to the Capabilities connection step).

LED Pattern Error ConditionThe LEDs repeatthe sequence: 10>100> 1000.

No Common Speed. There is no common speed capabilitybetween the devices attached to Link A and Link B.

The 10 LED flashes.The other SpeedLEDs are on and donot flash.

Timed Out. The TAP software has timed out waiting for someevent.

The expectedspeed’s LED is on,while the actualspeed’s LED flashes.

Wrong Speed. One of the links has connected at the wrongspeed.

The 1000 LEDflashes. The otherSpeed LEDs are onand do not flash.

Logic Error. This error occurs when the link partner capabilitiesare ambiguous.

See How do I connect my failover devices? for details about what happens whena primary device fails.

7

Chapter 7: Technical Specifications

Technical specificationsThis section lists the dimensions, power requirements, supported media, andenvironmental requirements.

Both power connectors are located on the back panel, along with the modelinformation and serial number.

 

 

Power requirementsAC Input 100-240V 50/60Hz 0.5A

Technical specifications22 Gigabit Copper Aggregator nTAP (23 Jan 2016) — Archive/Non-authoritative version

OperationalVoltage

5V (+10%/-5%, < 100 mV ripple)

Operational Current Typical: <= 1.8 amps; Max: <= 2.8 ampsPower Dissipation Typical: 8 watt; Max: 14 wattEnvironmental requirementsTemperature range 32°F - 113°F / 0°C - 45°C (operating): The fanless cooling design

relies on conduction and convection from the nTAP casing. Yourinstallation environment must provide enough cool airflow forthe nTAP casing to maintain an operating temperature less than113°F/45°C.-52° to +185°F / -47° to +85°C (storage)

Humidity 35-85% (non-condensing)Supported media

Link ports Straight-through RJ-45 cable or crossover cableCopper Analyzerports

Straight-through RJ-45 cable or crossover cable

Buffer size 256 MB, 512 MB, or 1 GB (depending on TAP)DimensionsWidth 5.62 in/14.28 cmHeight 1.15 in/2.93 cmLength 7.79 in/19.78 cm

8

Chapter 8: Troubleshooting

What happens if my TAP loses power?If your TAP loses power, it will not be able to send data to the analyzer. You willtemporarily lose network connectivity, but connectivity is re-established as soonas the two devices connected to the Link ports can renegotiate a connection witheach other. This could take a few seconds and is completely dependent on thenetwork and the devices.

What latency does a TAP create?Latency is created by the copper ports of a TAP. The latency is typically 200-250nanoseconds. This is the time it takes to receive a packet, process and copy it, andbegin forwarding the copy.

Are the analyzer ports “send only”?Yes, the analyzer ports are send only. The TAP is incapable of sending data fromthe Analyzer side of the TAP to the Link (or network) side of the TAP.

The “A,” “B,” or “AB” ports on the Analyzer side of the TAP must be capableof both transmitting and receiving data to negotiate a connection with theanalyzer and they do this through the physical interface. The physical interfaceis responsible for negotiating a bi-directional connection with the analyzer andunidirectionally sending data from the TAP to the analyzer.

There is no physical connection between the receive port on the Analyzer side ofthe TAP and the TAP’s internal processor. Therefore, the TAP cannot transmit datafrom the analyzer back to the Link side of the TAP.

Not seeing traffic at the analyzer from the TAP24 Gigabit Copper Aggregator nTAP (23 Jan 2016) — Archive/Non-authoritative version

Not seeing traffic at the analyzer from the TAPIf your TAP is not transmitting to the analyzer as you expect, check the following:

♦ The Link is definitely up and running.♦ The cable connected to the analyzer functions properly. Use a different

cable to confirm this.♦ The Ethernet/SPAN or Fiber channel is not diverted elsewhere.♦ Try swapping the cables between the ports.♦ The nTAP is receiving power using a Viavi power adapter. The Link A and

Link B lights flash when there is traffic traversing through the nTAP, whichindicates the nTAP has power.

♦ If you are using a TAP with a GigaStor, ensure the driver configurationspeed is set correctly. Sometimes allowing it to auto-negotiate will enablethe connection.

♦ If the system you are monitoring is Linux or UNIX based, you may have anissue with the Maximum Transmission Unit size. The TCP stack in the UNIXsystem uses algorithms to produce an MTU based on response time fromSYN ACK. A small MTU forces a server and client to redo their handshake.Increase the MTU on your server to alleviate this issue.

Can I daisy chain an Aggregator TAP?Yes, you can daisy chain TAPs, but it is not recommended because of thenegotiation time and latency introduced by the TAP. Although the latency is verysmall, if the packets do not reach their destination fast enough and the receivingdevice has a low MTU (maximum transmission unit), the receiving device couldrestart the negotiation process. For more details, see Not seeing traffic at theanalyzer from the TAP.

If you experience issues daisy chaining Aggregator TAPs to more than twoanalyzers, and you are certain your MTU on the receiving devices is high enough,contact Viavi Support for assistance.

Can I “team” or bond NICs in my analyzer?Yes, it is possible with some limitations. Sometimes it is desirable to use twostandard full-duplex capture cards to capture full-duplex TAP output for analysis.Because a standard capture card port has only one receive channel you mustaggregate the receive channels from two ports to see both sides of the two-wayconnection being monitored. Intel’s Advanced Network Services allows you toteam multiple connections at the driver level, presenting your analyzer with anaggregated view of send and receive channels.

Because of the processing overhead and its effect on capture card performance,this method is not recommended for monitoring moderate to highly saturatedlinks, such as those between switches. However, it can be an economicalalternative when monitoring more lightly used connections, such as between aserver and switch.

In addition to the bandwidth limitations, connection teaming is also less accuratewhen timestamping packets, which can cause unexpected results when your

Can I “team” or bond NICs in my analyzer?Chapter 8: Troubleshooting 25

analyzer attempts to display certain charts and statistics such as ConnectionDynamics or VoIP jitter. You also will not be able to tell which side is DCE vs.DTE. In short, if you do not have a dual-receive analysis capture card, it is alwaysbetter to analyze the SPAN or port mirror session through a standard capturecard rather than using the connection teaming method described here.

Note: You need at least one capture card that supports Advanced NetworkServices. If the card has two ports, they can be teamed, otherwise anothercapture card with an unused port must be present.

 

Figure 6: Capture card teamingThis figure is for illustrative purposes and may not match your product.

 

1. Configure the IntelPro/1000 Driver Software to Define Teamed Connections.For Ubuntu Linux instructions for port bonding, see the Ubuntudocumentation.

2. Connect the TAP to the analyzer using the appropriate cables.

The TAP is cabled between the devices being monitored normally (i.e., itprovides a pass-through circuit for the link under test). Instead of connectingto a single dual-receive port (as is the preferred deployment), connectthe send lines to the transmit (TX) sides of the two ports you intend toaggregate. You can team ports on separate cards as long as one of them is anIntelPro card.

3. Open Network Connections by right clicking My Network Places on theWindows Start menu and choosing Properties.

4. Right-click a Monitor Port from an IntelPro/1000 card (which one does notmatter) and choose Properties. Click the Teaming tab.

5. Choose the “Team with other adapters” option and then click New Team... tostart the New Team Wizard. The first dialog lets you name the Team (you maywant to call it something like “Virtual Dual-receive”).

6. Click Next and add another adapter/port that supports teaming (for examplethe second port on a dual-port IntelPro card).

7. Click Next and choose Static Link Aggregation. This option works best foraggregating both sides of a full duplex link for analysis. Click Next, and thenFinish.

The My Network Places display should now list the new virtual adapter.

How do I connect my failover devices?26 Gigabit Copper Aggregator nTAP (23 Jan 2016) — Archive/Non-authoritative version

How do I connect my failover devices?When the device connected to Link B fails, the TAP disables Link A so that thedevice on Link A can initiate its failover procedure.

The TAP then restarts its search phase. Until the Link B device is working again,the TAP repeats the following steps:

1. Search.2. Determine if Link A is up. If not, keep searching.3. If Link B is up, then re-establish the connection. If Link B is still down, then

shut down Link A.4. Go to first step. 

Figure 7: Cabling Failover DevicesThis figure is for illustrative purposes and may not match your product.

 

Choosing crossover or straight-through cablesWhen choosing whether to use crossover or straight-through cables with a TAP,consider the following:

♦ Crossover or straight-through cables can be used for any TAP havingcopper ports; either type will operate perfectly. However, straight-throughcables are required for the 10/100 Copper TAP only.

♦ Most networking hardware supports Auto-MDIX, which electrically createsa crossover connection where one is needed. For those devices, the propercable configuration is used automatically regardless of the connectiontype.

♦ If you encounter any rare issue with cable choice and your TAP, test yourTAP with the opposite cable type and then contact Viavi Support.

I am seeing CRC errors on my networkIf you are seeing an uncommonly high number of CRC errors, this could indicatethat there is an issue with the TAP, but it may also indicate that the TAP isfine and there are other problems on your network. Contact Viavi Support forassistance.

VLAN tags not visible at the analyzerChapter 8: Troubleshooting 27

VLAN tags not visible at the analyzerAll TAPs pass VLAN tags with the packets. If you are not seeing the VLAN tags atthe analyzer, check the following:

♦ On the switch:

● Confirm that the SPAN was created to pass VLAN tags. SometimesSPANs are created and passing VLAN tags is not enabled.

● Confirm the communication between the switch and the router ispassing the VLAN tags (normally the communication between them isnot a trunk).

♦ On a GigaStor, if you are using one:

● Confirm the Gen2 capture card has been enabled to receive or passVLAN tags.

MemoryFully optical TAPs do not have internal memory or any electronic components andare strictly a pass-through wherein a copy of the data is made. TAPs with anycopper connections have two distinct and separate memory stores.

The two memory stores are non-volatile memory and volatile memory. They arenot connected in any way and no data can move between them. The non-volatilememory provides certain functions that make the device work and cannot bemodified or changed during normal operation of the device. Volatile memoryholds network data as it is copied and passed through the device. Turning off thedevice clears any data in the volatile memory buffer.

Maximum frame sizeThe maximum frame size allowed through an nTAP is up to 16K; 64K super jumboframes are not supported.

Understanding why Link B is active when Link A isoffline

Link B is an active port. It is used to negotiate speeds for both Link A and Link B.

Applies to: Any copper-based nTAP.

When the main use of the nTAP is to monitor a server connection, Link A is forthe server and Link B is for the router or switch. This allows the server to use aredundant link if Link B goes down, and it keeps the router or switch active if theserver goes offline. Should Link A come back up, negotiations to get the link backonline are enhanced because Link B already has an active link.

As already stated, Link B is an active port. It is used to negotiate speeds for bothLink A and Link B. When you plug in Link A by itself, no negotiation occurs. If youplug in Link B, it negotiates a link speed with whatever device is connected toLink B. Then it negotiates with Link A at that speed. If Link A cannot use thatspeed, it then negotiates with the end device on Link B at a different rate until acompatible rate between the Link A device and Link B can be established.

Understanding why Link B is active when Link A is offline28 Gigabit Copper Aggregator nTAP (23 Jan 2016) — Archive/Non-authoritative version

One of the great advantages to having this capability is to use the nTAP toreplicate traffic to multiple devices and not use it strictly for pass through. Forexample, when you use an aggregation nTAP and if you connect Link B to a SPAN,you can then pass the SPAN traffic out the two analyzer ports and have twocopies of the SPAN traffic going to two different devices. You can have anotherdevice receiving the SPAN data on Link A, and if you disconnect Link A, the SPANtraffic for Link B still goes to the analyzer ports for monitoring.

An nTAP is not just for only passing bidirectional communication between LinkA and Link B and copying traffic to the two analyzer ports. Take advantage ofthe active Link B port to daisy chain multiple TAPs together to receive multiplesets of SPAN data streams and combine the multiple SPAN sessions into a singlestream. Without the ability for Link B to stay up if Link A were to go offline, youlose this capability.

9

Chapter 9: FCC compliance statement

Specification CertificationEmissions FCC Part 15 Class BCE Mark EN61000-3-2, EN55024, EN55022A

This equipment has been tested and found to comply with the limits for a ClassB digital device, pursuant to part 15 of the FCC Rules. These limits are designedto provide reasonable protection against harmful interference in a residentialinstallation. This equipment generates, uses and can radiate radio frequencyenergy and, if not installed and used in accordance with the instructions, maycause harmful interference to radio communications. However, there is noguarantee that interference will not occur in a particular installation. If thisequipment does cause harmful interference to radio or television reception,which can be determined by turning the equipment off and on, the user isencouraged to try to correct the interference by one or more of the followingmeasures:

♦ Reorient or relocate the receiving antenna.♦ Increase the separation between the equipment and receiver.♦ Connect the equipment into an outlet on a circuit different from that to

which the receiver is connected.♦ Consult the dealer or an experienced radio/TV technician for help.

30 Index (23 Jan 2016)

Index

Numerics10/100 network 1010/100 TAP 23

Aadvantages

SPAN 6aggregator 27analyzer 24

auto-negotiation 24cables 26dual-receive capture card 6no traffic from TAP 24ports, unidirectional 23single-receive capture card 6

auto-negotiation  24, 24analyzer 24

Bbandwidth utilization 13bottleneck, SPAN 6buffer  12, 13buffer size 13

Ccables

analyzer 26capture card 6choosing NIC, SPAN 24cloning, SPAN 11CRC errors  8, 26crossover cables 26

Ddaisy chain  24, 24, 27DCE 24DTE 24dual receive analyzer 6dual-receive capture card 6

Ffailover 26failover, SPAN 11FCC Compliance Statement 29full-duplex NIC 24full-duplex TAP  6, 14

G

Gen2 capture card 27GigaStor  24, 27

Hhalf-duplex 5half-duplex, SPAN 5

IIntelPro 24

Jjoining 11joining, SPAN 11jumbo frame 27

Llatency  23, 24light meter 24Link A 27Link B 27link negotiation 27Linux  24, 24

Mmaximum frame size 27Maximum Transmission Unit 24mirror port, see SPAN 10MTU  24, 24

NNIC teaming 24NIC, see single-receive capture card and dual-receive capturecard 6no traffic from TAP 24no traffic from TAP , analyzer 24

OOptical TAP 23Optical-to- 23OSI Layer 1 & 2 errors  5, 6, 12

SPAN 10over-subscribing 13

Ppackets 8port bonding 24ports, unidirectional 23

Chapter : 31

ports, unidirectional, analyzer 23power loss 23

Rredundancy, see failover 26redundant 27Regulatory Compliance 29risks, SPAN 10runts 8

Ssecurity 5SFP modules 24single-receive capture card 6

analyzer 6SPAN 12

SPAN  6, 27advantages 6as bottleneck 6choosing NIC 24cloning 11failover 11half-duplex 5joining 11pros and cons 8risks 10single-receive capture card 12VLAN tags 27

SPANOSI Layer 1 & 2 errorsOSI Layer 1 & 2 errors 10

straight-through cables 26SYN ACK 24

TTAP 27TCP stack 24

UUNIX 24up-converting 13

VVLAN tags 27

Wwhen to use, SPAN 8