A network operator can build a monitoring network so as to get better visibility into application and network performance of this network. The monitoring network further enables improved security, compliance, and reporting for the network operator. To setup the monitoring network, existing switches have passive tap ports that mirror traffic to a tap aggregator. The tap aggregator provides traffic consolidation, source identification, packet processing for elimination of unneeded traffic, and distribution of packets to a data analyzer. The data analyzer analyzes the data sent to it, so as to provide the analysis for the network operator as to the use, security, and performance of the network.
The flow of the data in the monitoring is unidirectional as the data flows from the existing switches to the tap aggregator and to the data analyzer. In this design, each of the switches will be coupled to the tap aggregator through a separate port on the tap aggregator. In addition, the tap aggregator switches the data received from the switches out different ports of the tap aggregator to the data analyzer based on the data characteristics being analyzed by the data analyzer. For example, the tap aggregator can switch the received traffic based on the protocols used for the data, such as source and/or destination headers for Link, Transport and Session layers as well as the potential for arbitrary patterns within datagram headers and/or payloads. Examples could be common protocols and address fields such as MAC and IP addresses, well known protocols such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Secure Shell (SSH) and/or other known protocols.
Because of the unidirectional nature of the traffic flow, the ports of the tap aggregator are being under utilized. For example, a port of the tap aggregator will have a receive and transmit interface, in which the port receives data on the receive interface or transmits data on the transmit interface. For example, the tap aggregator does not use the transmit interface on ports coupled to switches as the tap aggregator does not transmit data to those switches. In addition, the tap aggregator does not use the receive interface on ports coupled to data analyzer as the tap aggregator does not receive data from the data analyzer. Thus, the tap aggregator can potentially not use half of the port interfaces in the monitoring network. This can become expensive for a tap aggregator that uses fiber for the physical connections, because for a situation where only the transmit fiber is actively used, the receive fiber is needed to keep the link up. In this example, the receive fiber is wasted. This problem is compounded if the fiber is a long-distance fiber, which means a long-distance fiber is wasted.