Port mirroring, also known as SPAN (Switched Port Analyzer) on Cisco devices or RSPAN (Remote SPAN) for more advanced scenarios, allows you to copy network traffic from one or more switch ports to a designated destination port for analysis.
Let’s see it in action. Imagine you have a web server connected to GigabitEthernet1/0/1 on a Cisco switch, and you suspect it’s experiencing some unusual traffic patterns. You want to capture all incoming and outgoing traffic on that port to analyze with a tool like Wireshark.
Here’s how you’d configure port mirroring on a Cisco Catalyst switch:
! Configure the source interface (the port you want to monitor)
interface GigabitEthernet1/0/1
description Web Server
switchport mode access
! No further configuration needed on the source interface itself for basic SPAN
! Configure the destination interface (the port where your analysis tool is connected)
interface GigabitEthernet1/0/24
description Analysis Tool Port
! No further configuration needed on the destination interface itself for basic SPAN
! Create the SPAN session
monitor session 1 source interface GigabitEthernet1/0/1 both
monitor session 1 destination interface GigabitEthernet1/0/24
In this configuration:
monitor session 1 source interface GigabitEthernet1/0/1 bothtells the switch to copy all traffic (both inbound and outbound, specified byboth) fromGigabitEthernet1/0/1into session 1.monitor session 1 destination interface GigabitEthernet1/0/24directs all traffic captured in session 1 to be sent out ofGigabitEthernet1/0/24.
Now, if you connect a machine running Wireshark to GigabitEthernet1/0/24, you’ll see every packet that traverses GigabitEthernet1/0/1. This is invaluable for troubleshooting performance issues, detecting security threats, or understanding application behavior.
The fundamental problem port mirroring solves is the inability to directly observe traffic on a specific host or segment without injecting your monitoring device into the direct data path, which is often impractical or disruptive. By leveraging the switch’s intelligence, you can passively tap into the traffic flow. The switch replicates packets destined for the monitored port(s) and forwards copies to the destination port without altering the original traffic flow.
The exact levers you control are primarily the selection of source interfaces (or VLANs), the direction of traffic to mirror (inbound, outbound, or both), and the single destination port. More advanced configurations, like RSPAN, allow you to mirror traffic to a destination port on a different switch, which involves configuring a dedicated VLAN for the mirrored traffic to traverse.
The most surprising truth about port mirroring is how much of the packet is not copied by default in some scenarios, leading to incomplete analysis if you’re not careful. Specifically, when mirroring traffic from multiple source interfaces to a single destination, the switch hardware has a finite capacity. If the aggregate traffic rate from all mirrored sources exceeds the bandwidth of the destination port, or the switch’s internal fabric capacity for mirroring, the switch will start to drop mirrored packets. This isn’t a failure of the mirroring function itself, but a consequence of exceeding the system’s capabilities. The switch prioritizes forwarding the original traffic; packet replication is a secondary, resource-intensive task. Therefore, even if your destination port is 1 Gbps and your source is 1 Gbps, if the switch’s internal mirroring ASIC can only handle 500 Mbps of mirrored traffic, you’ll only see half the packets.
The next concept you’ll likely encounter is how to handle mirroring traffic from multiple sources efficiently or across different switches.