Kentik - Network Observability
Back to Blog

What Is Port Mirroring? SPAN Ports Explained

Kevin Woods
featured-on-off-switch

Summary

In this blog, we dive into what SPAN Port Mirroring is, how it works, what it’s good at, and the drawbacks as well as best practices in using port mirroring.


Network observability is a core part of systems administration. No matter your line of business, and no matter your number of users, you need to know what’s happening on your network. There are a number of good reasons to invest in better network observability. If and when you experience a network outage, high-quality observability means you’ll diagnose the issue more quickly. Network observability also gives you a tool to detect malicious intruders in your environment. Regularly inspecting network traffic can even help you identify network bottlenecks and improve the day-to-day experience for end-users on your network.

In this post, we’ll talk about one of the most popular means of network observation: SPAN port mirroring. We’ll dive into what it is, how it works, what it’s good at, and the drawbacks as well as best practices in using port mirroring.

What Is SPAN Port Mirroring?

The concept behind port mirroring is quite simple. When you configure a switch, you reserve one port. Then you configure the switch to “mirror” all traffic that passes through to that reserved port. Whenever the switch processes a packet, it makes a copy and sends it to whatever is connected to the aforementioned port. Usually, this will be some kind of dedicated system set up to monitor the traffic on that switch. SPAN (Switched Port Analyzer) is a Cisco-specific way of handling port mirroring. For the purposes of our discussion, we can use these terms interchangeably, but you should keep in mind that every network vendor provides some sort of port mirroring.

Types of SPAN Port Configurations

As you dig into SPAN port configurations, it’s important to understand what SPAN setups can and can’t do. For starters, they can’t tell you about any traffic that doesn’t route through the switch you’re configuring. That just makes sense, right? When you’re configuring SPAN ports, it’s also essential to understand how network traffic passes through your network. If you configure SPAN on the wrong switch within your topography, you’re going to wind up missing packets that you want to see. Fortunately, specific SPAN implementations don’t mean that you’re confined to a single physical switch.

If your network topology spans multiple switches, SPAN has you covered. There are two SPAN variants that handle distributed environments effectively: RSPAN and ERSPAN.

RSPAN

RSPAN takes our SPAN configuration from earlier and works across a dedicated VLAN tunnel. Traffic going from one switch to another moves along a dedicated tunnel. When you configure your switch, you dedicate a VLAN (one or more ports) as an RSPAN VLAN. Now all traffic that passes along switches within that tunnel will be copied to the RSPAN VLAN. Much like a traditional SPAN configuration, the switch copies all traffic. The important thing to know about RSPAN is that all the switches involved need to be on the same physical network. RSPAN is an OSI Layer 2 configuration. It doesn’t support routing traffic through Layer 3.

ERSPAN

If you read the previous paragraph, you can probably guess why ERSPAN exists. While RSPAN only supports Layer 2 routing, ERSPAN supports Layer 3. When you enable ERSPAN, you gain the ability to route mirrored traffic across multiple physical networks. This provides a real benefit for organizations with multiple geographically distributed network environments. Unfortunately, ERSPAN is a Cisco-proprietary feature. It’s only available on certain models. Those limits remove a lot of choices if ERSPAN is a feature your team needs.

Common SPAN Port Mistakes to Avoid

When setting up and using port mirroring, it’s essential to avoid common SPAN Port mistakes. The following issues are frequently encountered when working with SPAN ports:

  • Incorrect Configuration: An improper configuration can lead to reduced visibility or even cause network issues. Make sure to carefully follow the steps and best practices when setting up your SPAN port.
  • Limited Bandwidth: If the monitoring port doesn’t have enough bandwidth, it can cause dropped packets and limit your ability to analyze network traffic. Ensure your monitoring port has adequate bandwidth for the volume of traffic you’re capturing.
  • Overload: Overloading the switch with too many mirrored ports or excessive traffic can cause performance issues. Be cautious of the number of mirrored ports you set up and consider monitoring only the most critical traffic.
  • Wrong Source Port Selection: Choosing the wrong source port can lead to missing crucial network traffic. Ensure that you have a clear understanding of your network topology and traffic flows to select the correct source port for monitoring.
  • Monitoring the Wrong Traffic: Focusing on irrelevant traffic can lead to missed insights and wasted resources. Be selective in the traffic you monitor to ensure you capture the most relevant data for your network observability goals.

SPAN Port vs. Network Tap: What’s the Difference?

In order to effectively perform network monitoring, there are two popular methods that provide direct access to the actual packets traveling across networks. And accessing this data at the packet level is essential because it provides the level of detail needed to gain network visibility. These two methods are SPAN port mirroring and network TAP (Test AccessPoint).

What is a Network Tap?

A network TAP is a device that sits in a network segment between two appliances (such as a router, switch, or firewall), and allows you to directly access and monitor the network traffic. Therefore all of the data flows through the TAP and it creates a copy of the data for monitoring as the original data continues to flow through the network, simultaneously transmitting send and receive data on separate channels.

What is a SPAN Port?

SPAN ports, also referred to as Port Mirroring, are dedicated ports on a switch or router that creates copies of selected packets that pass through the device and sends them to a specific destination port.

SPAN Port vs Network Tap: Pros and Cons of Each Approach

When deciding between a SPAN port and a network tap for network monitoring, it’s essential to consider the pros and cons of each approach to determine the best solution for your network observability needs.

Pros and cons of SPAN Port:

Advantages:

  • Built into the switch, requiring no additional hardware
  • Cost-effective and easy to configure
  • Can be quickly enabled or disabled as needed
  • Invisible on the network, reducing points of failure

Disadvantages:

  • Lower priority, potentially dropping mirrored packets during high traffic
  • Limited visibility in case of switch issues or misconfiguration
  • Requires resources on physical or virtual appliances
  • May be less suitable for time-sensitive network observability goals

Pros and cons of Network Tap:

Advantages:

  • Provides direct access to network traffic for improved visibility
  • Does not introduce additional load on the switch
  • Handles send and receive data on separate channels, reducing latency
  • Can offer more accurate network monitoring and diagnostics

Disadvantages:

  • Requires additional hardware and potential maintenance
  • Can be more expensive to set up and maintain
  • May introduce additional points of failure
  • Physical installation needed for each switch being monitored

What are the Benefits of Port Mirroring?

Let’s start with the most obvious benefit of port mirroring: the functionality is available on your switch.

Let’s start with the most obvious benefit of port mirroring: the functionality is available on your switch device. Compared to something like a network tap, port mirroring is easy and cheap to configure. You don’t need any additional hardware. This makes port mirroring particularly valuable when your network configuration is constrained by physical space or when you might only need to monitor a VLAN for a short period of time. Instead of needing to get into a cage and physically install or remove hardware, you’ll just need to modify your switch configuration. This ease of configuration and lack of up-front cost makes port mirroring an attractive proposition for organizations taking their first steps toward network observability.

As an additional bonus, port mirroring is effectively invisible on your network. If you introduce a dedicated network tap, that’s another device you need to maintain and support. While dedicated network taps rarely fail, they’re still a potential point of failure. Enabling port mirroring on a switch makes it no more likely to fail than any other switch. And, as noted, port mirroring works across multiple switches. A device like a network tap requires installation connected to every switch you want to monitor. But by far, the biggest benefit to port mirroring is that it’s so simple and quick to set up.

What are the Drawbacks of Port Mirroring?

The switch treats each mirrored packet as a lower priority than normal network traffic.

While port mirroring is cheaper and quicker to set up, it does carry some real drawbacks. The most significant is that the switch will treat mirrored traffic (SPAN data) as a lower priority. While the CPU overhead of copying any individual packet and mirroring it to a destination port or VLAN is low, those costs add up. So the switch treats each mirrored packet as a lower priority than normal network traffic. During low-to-medium traffic periods, this isn’t a big deal. The switch capably handles both the normal traffic and the mirrored traffic. However, when traffic flow loads up, things can get hairy. The switch will drop mirrored packets first. This means that you’re most likely to lose some network observability during the time when you need it the most.

Moreover, the reduced priority of mirrored packets makes some network observability goals more difficult to achieve. For instance, if your network observability goals include things like reducing network jitter or latency, port mirroring might not be a good fit for your goals. This is because the delay in delivering mirrored packets can make those time-sensitive issues more difficult to detect and resolve.

Another downside to port mirroring is that it requires resources on physical or virtual appliances. These can be costly from a hardware and (in the case of commercial solutions) software licensing point of view. As a result, in most cases, it is only fiscally feasible to deploy forms of port mirroring at selected points in the network.

A cloud-friendly and highly scalable model combines the deployment of lightweight host-based monitoring agents that export packet capture statistics gathered on servers and open source proxy servers.

Port Mirroring Best Practices

If you’re jumping into port mirroring for the first time, here are some best practices you want to keep in mind:

  • Know your environment. You need to know where traffic flows to make sure you’re putting your SPAN port on the correct switch.
  • Focus your filtering. Because of the downsides of a SPAN port, you want to make sure you’re not over-capturing traffic. The switch may drop mirrored packets if network traffic load is too high
  • Check your logs. Network observability is important, but you don’t do yourself any good if you don’t ever look at the traffic you capture.
  • Don’t over-capture. Every packet you capture is one you have to filter through or parse out. Understand what you’re looking for, and try to capture only traffic that you need to see.

SPAN Ports: Just One Tool in the Toolbelt

Port mirroring is a great low-cost option for tapping into a source of network telemetry. Especially if you’re just starting your journey into high-quality network observability, it’s easy to configure and enable out of the gate. There are no big up-front costs, and enabling port mirroring is something you can do on your existing hardware today.

That doesn’t mean you should just jump in with both feet. Before you get started, you want to intimately understand how your network traffic flows. Where is your most critical traffic coming from? Where is it going? Once you answer those questions, it’s easier to know where to set up port mirroring in your existing network.

It’s also critical to understand that port mirroring isn’t a silver bullet. As we noted, while it has some real upsides, it also comes with some real downsides. Given that, you want to use port mirroring as just one tool in your toolbelt. Unless your network is very small, don’t expect that setting up port mirroring will solve all your problems. You can’t just set it and forget it. Good networks, like gardens, require tending and maintenance to flourish. If you’re interested in learning how to tend your network so that it runs its best all the time, we’d be happy to show you how Kentik can help.

Explore more from Kentik

We use cookies to deliver our services.
By using our website, you agree to the use of cookies as described in our Privacy Policy.