In-line mode places a Sensor directly in the network traffic path, inspecting all traffic at wire speed as it passes through the Sensor. In-line mode enables you to run the Sensor in a protection/prevention mode, where packet inspection is performed in real time, and intrusive packets can be dealt with immediately; you can drop malicious packets because the Sensor is physically in the path of all network traffic. This enables the prevention of an attack from reaching its target.
Full-duplex tap mode
Tap mode works through installation of an external wire tap (I-4000,I-4010) or built-in internal taps (I-2600,I-2700). A Sensor deployed in tap mode monitors or sniffs the packet information as it traverses the network segment.
Full-duplex taps split a link into separate transmit and receive channels. Sensors provide multiple monitoring interfaces to monitor the two channels, and Sensor ports are wired in pairs to accommodate full-duplex taps. Typically there is a limited number of SPAN ports per switch, and often there is competition for those ports. Tap mode enables you to monitor traffic on a segment of traffic where no SPAN port is available.
The downside of tapped mode is that, unlike in-line mode, you cannot prevent attacks. Tap mode is passive; the Sensor essentially sees malicious traffic as it passes. You cannot inject response packets back through a tap, so discovering an attack in tap mode triggers a response post-attack.