Is it possible to use multiple taps or spans against one monitor?
search cancel

Is it possible to use multiple taps or spans against one monitor?

book

Article ID: 159582

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor Data Loss Prevention Data Loss Prevention Enterprise Suite Data Loss Prevention Plus Suite

Issue/Introduction

You can use multiple taps/spans against one monitor.

Resolution

Relevant to all versions.

Yes. A Network Monitor can monitor either:

  • One Endace measurement card (which can have 2-4 input ports, depending on the model)

Or

  • Up to 3 Network Interface Ports (NIC ports). (More are possible, but Symantec does not recommend it).

In general, a Tap will present 2 ports of traffic, while a SPAN will present a single port of traffic.

Additional Information

There are 2 types of traffic load to be concerned with: unfiltered and filtered traffic (the traffic actually being monitored). The limits on NICS/Ports/Endace cards are as follows:

  • An Endace installation can handle more than 700 Mbps of unfiltered traffic.
  • A non-Endace installation can handle up to 80 Mpbs.
  • In each case, this amount of traffic is the total traffic presented to all monitored ports.
  • In either case, the filtered traffic should be less than 20 Mbps of traffic (2 x 3 Ghz system) to 40 Mbps (4 x 3Ghz system)

These limits were determined by running tests with a lot of traffic (unfiltered) and a small amount of filtered traffic and validating the accuracy of the filtered traffic.

See also:

Can I use two or more NIC cards on a host to capture traffic? (broadcom.com)

Powered by Wolken Software