Good to know
Port mirroring is used on a network switch or a router to send a copy of network packets seen on the source ports to destination ports. This allows packets to be monitored and analyzed.
Types of Mirroring
There are two types of mirroring:
- Local Port Mirroring
Local mirroring is possible when all source ports are located on the same network device as the destination ports.
-
Remote Port Mirroring
Remote mirroring is required when the source and destination ports are not on the same device. The source port forwards the packet copy to the destination port through the uplink connection.
Port mirroring is known as Switched Port Analyzer (SPAN) and Roving Analysis Port (RAP). Switch Port Analyzer (SPAN) is a very efficient traffic monitoring system. It directs or mirrors traffic from a source port or VLAN to a destination port.
Types of SPANs
There are three types of SPANs
- SPAN or local SPAN
- Remote SPAN (RSPAN)
- Encapsulated Remote SPAN (ERSPAN)
SPAN source can be any port i.e., a routed port, physical switch port, an access port, trunk, VLAN (all active ports are monitored of the switch), an EtherChannel (either a port or entire port-channel interfaces) etc.
A port configured for SPAN destination cannot be part of a SPAN source VLAN.
SPAN or Local SPAN mirrors traffic from one or more interfaces on the switch to one or more interfaces on the same switch; hence, SPAN is referred to as LOCAL SPAN.
Remote SPAN (RSPAN) supports source ports, source VLANs, and destination ports on different switches, providing remote monitoring traffic from source ports distributed over multiple switches and allowing destination centralized network capture devices.
Encapsulated Remote SPAN (ERSPAN) brings generic routing encapsulation (GRE) for all captured traffic and extends it across Layer 3 domains. ERSPAN is a Cisco proprietary feature available only to Catalyst 6500, 7600, Nexus, and ASR 1000 platforms.
What is Network Tap?
A network tap is a hardware device installed on the network. It enables network traffic to pass unimpeded while duplicating all data to a monitor port where a network analyzer can access it.