Using Port Mirroring to Monitor Traffic

port mirroring SPAN

Port mirroring is used when network traffic is to be monitored for troubleshooting or analysis purposes. By nature, switches or routers try to forward traffic to a destination as directly as possible. As a result, all traffic is not normally flooded to all switch ports, so you cannot simply connect to a switch and monitor interesting traffic flows.

In the network you can mirror traffic passing through switch ports or VLANs onto other ports so that a network analysis device can capture required traffic. This article explains how you can leverage the Switch Port Analysis (SPAN) feature to mirror traffic between ports on the same switch or across a switched network to a remote switch.

Port mirroring and its usage

Suppose that a problem exists on your network and you want to use a network analyzer to gather data. You need to capture the traffic between two hosts connected to a switch. 

One computer is connected to interface Gigabit Ethernet 0/1 and the other to Gigabit Ethernet 0/2. Both ports are assigned VLAN number 10. Because other devices are already connected to these ports, you must connect your analyzer to a different switch port.

Two PC same VLAN

In the above scenario if you connect your analyzer to another port on VLAN 10, will that show the captured packets? 

Normally, switches learn where MAC addresses are located and forward packets directly to those ports. The only time a packet is flooded to ports other than the specific destination is when the destination MAC address has not already been located or when the packet is destined for a broadcast or multicast address. 

Therefore, your packet capture will show only the broadcast and multicast packets that are being flooded to the analyzer’s switch port. None of the conversations between the two hosts of interest will be overheard.

In this case, you need to use the Switched Port Analyzer (SPAN) feature to mirror traffic from one source switch port or VLAN to a destination port. This allows a monitoring device, such as a network analyzer or “sniffer,” to be attached to the destination port for capturing traffic.

When packets arrive on the source port or VLAN, they are specially marked so that they can be copied to the SPAN destination port as they are delivered to the normal destination port. 

SPAN is available in two different forms:

  • Local SPAN: Both the source and destination SPAN are located on the local switch.
    The source is one or more switch ports.
  • Remote SPAN (RSPAN): The source and destination SPAN are located on different switches. Mirrored traffic is copied over a special-purpose VLAN across trunks
    between switches from the source to the destination.

Local SPAN

A local SPAN session exists on only one switch or one logical switch stack. In other words, you must identify one or more source interfaces and a destination interface where monitored traffic will be copied or mirrored. 

Below figure shows local SPAN operation where the goal is to monitor all traffic coming from computer A and being passed to computer B. Interface Gi 0/1, where computer A is connected, is identified as the SPAN source. A network analyzer is connected to interface Gi 0/3, which is identified as the SPAN destination. As Ethernet frames arrive from computer A on interface Gi 0/1, the switch makes copies of them and forwards them to the analyzer.

To monitor traffic passing within one or more VLANs on the switch, you can identify the VLANs as the SPAN source. This is essentially the same as local SPAN, but is often called VLAN-based SPAN or VSPAN. All switch ports that are active on a source VLAN become sources themselves and analyzer will receive all the traffic from that VLAN.

Remote SPAN

In a large switched network or one that is geographically separated, it might not always be convenient to take a network analyzer to the switch where a SPAN source is located. With Remote Switch Port Analyzer (RSPAN), the source and destination can be located on different switches.

Below image shows an example network that uses RSPAN to mirror traffic from the source on switch A to the destination on switch B. The switches are connected by trunk links that carry a VLAN that is set aside for RSPAN traffic.

At the source switch, mirrored frames are copied and sent toward the RSPAN destination over the RSPAN VLAN. At the destination switch, packets are pulled off the RSPAN VLAN and copied to the RSPAN destination port.

The RSPAN VLAN has some important differences from a regular VLAN. First, MAC address learning is disabled on the RSPAN VLAN. This is to prevent intermediate switches that transport the RSPAN VLAN from trying to forward the mirrored packets to their real destination MAC addresses.

An RSPAN-capable switch also floods the RSPAN packets out all its ports belonging to the RSPAN VLAN, in an effort to send them toward the RSPAN destination. Intermediate switches have no knowledge of the RSPAN source or destination; they know only of the RSPAN VLAN itself.

Therefore, the RSPAN VLAN should be limited to the links that participate in RSPAN transport. In other words, the RSPAN VLAN should be allowed on trunks between switches, but should not be assigned to any other switch ports along the path.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.