Configure traffic mirroring with active or passive aggregation (TAP)

When using active or passive aggregation to mirror traffic, an active or passive aggregation terminal access point (TAP) is installed inline to the network cable. The TAP duplicates both Receive and Transmit traffic to the OT network sensor so that you can monitor the traffic with Defender for IoT.

A TAP is a hardware device that allows network traffic to flow back and forth between ports without interruption. The TAP creates an exact copy of both sides of the traffic flow, continuously, without compromising network integrity.

For example:

Diagram of active and passive TAPs.

Some TAPs aggregate both Receive and Transmit, depending on the switch configuration. If your switch doesn't support aggregation, each TAP uses two ports on your OT network sensor to monitor both Receive and Transmit traffic.

Advantages of mirroring traffic with a TAP

We recommend TAPs especially when traffic mirroring for forensic purposes. Advantages of mirroring traffic with TAPs include:

  • TAPs are hardware-based and can't be compromised

  • TAPs pass all traffic, even damaged messages that are often dropped by the switches

  • TAPs aren't processor-sensitive, which means that packet timing is exact. In contrast, switches handle mirroring functionality as a low-priority task, which can affect the timing of the mirrored packets.

You can also use a TAP aggregator to monitor your traffic ports. However, TAP aggregators aren't processor-based, and aren't as intrinsically secure as hardware TAPs. TAP aggregators may not reflect exact packet timing.

Common TAP models

The following TAP models have been tested for compatibility with Defender for IoT. Other vendors and models might also be compatible.

  • Garland P1GCCAS

    When using a Garland TAP, make sure to set up your network to support aggregation. For more information, refer to the Tap Aggregation diagram under the Network Diagrams tab in the Garland installation guide.

  • IXIA TPA2-CU3

    When using an Ixia TAP, make sure Aggregation mode is active. For more information, see the Ixia install guide.

  • US Robotics USR 4503

    When using a US Robotics TAP, make sure to toggle the aggregation mode on by setting the selectable switch to AGG. For more information, see the US Robotics installation guide.

Next steps

For more information, see: