Best Practices for Mirroring Configurations

The following best practices are explicitly followed when spanning industrial traffic from switches:

  • Qualys recommends configuring a VLAN-based mirroring wherever possible. Port mirroring should be considered when the option of VLAN mirroring is unavailable. Qualys recommends that the industrial switch allow multiple ports to be mirrored to a single destination port.
  • In case of switch do not support port mirroring of all the ports, you can use a network tap or can deploy a new switch which support all ports.
  • Selecting the SPAN source as the switch's only uplink is not recommended for OT device environments, as the traffic between PLCs, HMIs, and IO devices connected to the same switch may not reach the uplink of a switch.
  • Suppose engineering workstations are connected to a switch (S1), and PLCs and IO devices are connected to the switch (S2). Both S1 and S2 are connected to the aggregation switch. In that case, the uplink of S1 or S2 will see traffic between PLCs to engineering workstations. In this case, Qualys recommends mirroring traffic from the uplink of S1 or S2.
  • If multiple switches are to be spanned, it is necessary to SPAN both the local Access ports and the inter-switch trunk ports. Traffic within a switch will be seen on the local access ports but not on a trunk port. Traffic on two different switches may not be seen entirely on their local access ports, but only on the trunk links.
  • To enhance security and prevent the destination port from receiving any data, it is recommended to keep the ingress keyword disabled by default while configuring SPAN in Cisco switches.
  • Generally, process control switches have very low CPU utilization, so mirroring does not create problem. It is recommended to validate CPU utilization of switches before and post mirror configuration.
  • You can verify if the mirroring works correctly using the switch address table dump. Ensure the switch ports learn the MAC address of all the devices you want to monitor.
  • Scenarios with overlapping IP addresses generated from various facility sections need to be categorized with manually tagging locations corresponding to them.

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: March, 2026