What is Port Mirroring (Cisco SPAN)?

By /

What is this?

Port Mirroring, referred to by Cisco as SPAN (Switched Port Analyzer), is a networking technique used to send a duplicate copy of network traffic from specific switch ports (source ports) to a designated monitoring port (destination port). This happens at the switch hardware layer, where the data from the desired source ports is duplicated and flows to the intended destination port, where something in the destination port can make use of the duplicated traffic.

Why may you need it?

Well, there are a bunch of reasons but the ones that I’m most familiar with are to support network security platforms for threat monitoring and anomalous behavior detection, and to support diagnostic tooling; both requiring deep traffic inspection, but for different purposes. With that, let’s focus on the former concept which is related to network security platforms.

A Practical Example

Let’s set up a simple scenario where you have a 24 port switch, like a modern Cisco Catalyst model. On that switch you have a bunch of network gear like servers, end user computers, maybe some printers, IP phones, and a firewall supplying Internet access. In addition, you have a network-based security monitoring platform that you’ve invested in, and to be effective this platform needs to “see” all the traffic between all the devices connected on that switch.

Luckily, this network security platform uses port mirroring (SPAN) to gain visibility into network traffic without interrupting the original packet flow. By receiving identical copies of packets, the security tool can perform packet inspection to identify potential threats and then report on them. Because the port mirroring happens at the hardware level, the security platform receives a “clone” of the traffic without the switch needing to change the original destination of those packets. This ensures that your security monitoring has zero impact on the speed or reliability of your production network.

Setting up Port Mirroring (SPAN) on Cisco Switches

  1. Identify the source array of Ether-channels and/or interfaces to monitor
    monitor session 1 source interface Gi1/0/1 – 23 both
  2. Send the traffic to the destination port
    monitor session 1 destination interface Gi1/0/24

Let’s look at the commands above to make some sense out of them.

In step 1, the monitor session 1 part of the command is the Session ID. It acts as a label or grouping mechanism that tells the switch which source ports belong to which destination ports. Next up, source defines which source ports will mirror traffic to a destination. Following that, interface declares which ports will be duplicated to a destination. In this example, we are including Gigabit ports 1 through 23 on our 24 port switch. The both option tells the switch to capture and mirror traffic moving in both directions (incoming and outgoing) on the source interfaces.

In step 2, we’re defining the destination interface. This is the switch port into which your network security monitoring solution will plug, so that it can see all the network traffic on ports 1 through 23. Again, the monitor session 1 part of the command is the Session ID which aligns this destination port to the source ports in step 1. Next, destination defines that we are going to declare a destination interface, and following that we’re stating that interface Gi1/0/24 is the destination interface where you will ultimately connect your network security solution to.

A few other tidbits before pressing on. Let’s say that you have a pair of stacked Catalyst switches with Ether-channels configured across them both, in something like a core switch configuration. In this switch arrangement, you can most certainly target Ether-channels as source ports as well, by doing something like this.

monitor session 1 source interface Po1,Po2 both
monitor session 1 source interface Twe1/0/1 – 10 both
monitor session 1 destination interface Twe1/0/24

In the above example, we’re monitoring 2 port channels, and switch ports 1 through 10, and mirroring them all to port 24.

Cleaning Up and Saving your Work

Let’s say you want to delete a port mirror monitoring session, you would do this:
no monitor session 1

Of course, to implement any of this, you’ll need to enter Global Configuration Mode by entering configure terminal. Remember to save your config when done by entering wr, to commit the changes from the running-config to the startup-config.

A Word of Warning

If you configure a switch to mirror twenty high-throughput 10Gbps interfaces, like Twe1/0/1 – 20 and force that aggregated data down into a single 10Gbps destination port Twe1/0/24, the destination port will most likely drop packets during traffic spikes. While the switch does not drop or delay production traffic on the source ports due to a port mirroring (SPAN) session, the destination stream could saturate, resulting in your security solution receiving an incomplete data stream. In other words, your security platform may not see the full picture.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top