The do’s and do not's of SPAN ports!
A mirror or SPAN (switch port analyser) port can be a very useful resource if used in the correct way. SPAN ports are typically found on network switch gear although their features vary among switch vendors. They are commonly used for network appliances or software applications that require monitoring of network traffic, such as an intrusion detection system or application performance management.
While all this sounds great you do need to be very careful with the way you use SPAN ports. On the Cisco Catalyst 5500/5000 and 6500/6000 series switches, a packet received on a port is transmitted on the internal switching bus. Whether one or several ports eventually transmit the packet has absolutely no influence on the switch operation.
The problems with SPAN ports start when you overload them with data. A typical example would be where someone has a bunch of servers connected to a core switch and they try and mirror all of these ports to a single SPAN port. Chances are the port will become oversubscribed resulting in dropped packets on the SPAN port. In some extreme cases the switch may even throttle back on its own operations if the SPAN port is receiving too much data.
You also need to make sure you are monitoring the portions of network flows that you are interested in. SPAN ports allow you to monitor ports or VLANs but you can also specify what portions of the traffic that you want to capture. Do you need to see outbound traffic, inbound or traffic in both directions? If you get this wrong you may get results in your selected traffic monitoring application but you may miss vital information.
Another common problem with SPAN ports happens during the setup process. A SPAN port is basically dumping ground for packets, it does not interact with the network in the same way an access or trunk port would. If you mix up the source and destinations when configuring a SPAN port you will bring down network services. When setting up SPAN ports you are presented with words like source, destination, both-directions, ingress and egress so it’s not surprising that people get confused.
Leaving these issues aside I do want to repeat that SPAN ports can be a tremendous source of data on a network. What you need to do is plan you use of them carefully.
- Create a network monitoring diagram. Pick out points on your network that you would like to monitor and document this
- Check the documentation for your network switches. Do they support SPAN or mirror ports. Search for documents, manuals or forums for any info on the limitations for your particular switch
- Get familiar with terms like source and destination ports. Sources are what you want to monitor, destination ports are SPAN ports
- Check if you need to monitor traffic in both directions or do you only need outbound or inbound flows
- Do not overload your SPAN ports. Once you set them up check what port utilization is like. Look at switch counters like packet drop rates on the SPAN ports. If you overload one SPAN port you can always setup a second
- Be sure to save your switch configurations when you have your SPAN ports in place. I have come across instances where SPAN ports were lost due to switch reboots. This would only be spotted when they were needed to troubleshoot some network or application problem.
To try and make things easier we here at NetFort have developed a free tool which makes the job of setting up a SPAN port much more straightforward on Cisco switches. Instead of having to type in multiple commands via a CLI you can use the intuitive interface to select what you want to monitor and where you want to send the data to. You can download your own free copy from this link and you can also watch an independent review of it in this video by well noted Author, Teacher, Analyst and Trouble shooting expert plus a VERY trusted Technologist Tony Fortunato .
Do you use SPAN or mirror ports on your network?
Do they cause any problems or do their benefits far outweigh any negative aspects?
Author Darragh Delaney is Director of Technical Services at NetFort Technologies. Darragh is Cisco CCNA certified and has extensive experience in the IT industry, having previously worked for O2 and Tyco before joining NetFort Technologies in 2005. As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service. http://ie.linkedin.com/in/darraghdelaney