System administrators need network observability to identify bottlenecks, improve UX, diagnose network outages, and detect malicious parties. To do so, you must access individual data packets.
Port mirroring is a popular tool, with Cisco’s version SPAN (Switched Port Analyzer) often used generically.
How Does Port Mirroring Work?
Unlike TAPs, specialized devices for capturing packets inserted along network segments between two appliances, port mirroring/SPAN relies on configuring switches on a LAN, WLAN, or VLAN.
When you configure the switch, you designate one of the ports and configure it to “mirror” traffic. It then copies any packets that pass through it and sends them to a specified monitoring port, usually a part of the system using monitoring software to analyze traffic.
If your organization works in the cloud, you can use host-based monitors to gather and export packet capture statistics from cloud-based servers.
Advantages of Port Mirroring
SPAN offers several advantages:
- It is easy to set up, unlike network taps that require you to get into a cage and install hardware.
- It is flexible, allowing you to set it up quickly to monitor a network for a short time.
- It is cheaper than a TAP as no specialized device is required.
- It works across multiple switches, whereas a TAP must be inserted at every point where you wish to intercept traffic.
- Although network taps seldom fail, it does happen, whereas configuring a switch to mirror data via a dedicated port doesn’t increase its risk of failure.
- It is generally invisible to user nodes on the network.
Disadvantages of Port Mirroring
The CPU overhead for mirroring is low per packet, but the cumulative effect could constrain processing. The SPAN switch assigns mirrored packets lower priority to avoid delays and dropped packets in the network’s regular traffic.
- When traffic flow is low to medium, no issues arise. However, high traffic can cause the switch to drop mirrored packets, costing you some network observability at critical times.
- Delayed reception of mirrored packets can hinder you from diagnosing and addressing time-sensitive issues such as latency and network jitter.
- The hardware required for port mirroring entails financial costs. In commercial settings, software licensing is also pertinent. Thus, one must be strategic about deploying SPAN in crucial network segments.
- Many switches limit the number of monitoring ports to two. To get around this, you can set up a VLAN access control list, which functions like another SPAN port.
Port mirroring can only send you packets that travel via a particular switch, meaning you must be clear about your network’s topography so you can install the SPAN port in the right place to feed you critical data. You need Remote SPAN (RSPAN) or Encapsulated Remote Span (ERSPAN) for distributed networks.
RSPAN uses a dedicated VLAN covering every switch on a distributed physical network, creating a tunnel that mirrors all packets passing through any connected switch to your monitoring destination. RSPAN lets you observe complex, hierarchical networks.
RSPAN is configured according to OSI Layer 2 and cannot support data routed via Layer 3, thus constraining it to switches on a single physically connected network.
ERSPAN is Cisco’s proprietary solution to the limitations of RSPAN. It supports Layer 3 routing via GRE-encapsulated tunnels, enabling use across multiple geographically scattered networks. However, you must ensure sufficient bandwidth on the routed path, so network traffic is not hindered.
Port Mirroring: Final Thoughts
Port mirroring or SPAN is simple to configure and low cost while providing good network observability. While it isn’t a cure-all, it is a valuable tool in a network administrator’s arsenal.