5 reasons why you should not use a permanent SPAN port - Part 1

Jan 24, 2018

SPAN or MIRROR ports are often a very hot topic between network administrators and security managers. Due to the high port density of current switches, there are usually free ports available. So a quick decision has been made to use one of these free ports for traffic monitoring. There is also no objection to this in principle. That's why the SPAN feature is available. However, SPAN was originally designed to provide network administrators with an easy way to troubleshoot problems using a network analyzer on a switched network. This hasn't changed in principle, although modern switches offer considerably more complex SPAN configuration options than was the case with the introduction of the SPAN feature. Exactly this high flexibility and new possibilities easily lead to questionable usage or misuse of SPAN ports. Today there is probably no company that does not use SPAN ports for permanent traffic monitoring. The ports are available and can be configured quite quickly according to the respective monitoring task without additional costs. In most cases, the possible effects and the achievable quality of the data delivered on the SPAN port are not checked.

That's why I've put together 5 reasons why you should not use SPAN ports in permanent monitoring installations, or only to a limited extent:

  1. A destination port (SPAN) receives copies of the sent and received traffic for all monitored source ports. If a destination port (SPAN) is oversubscribed, it can be overloaded at any time. This congestion not only results in packet loss at the destination port (SPAN) but can also affect traffic forwarding at one or more of the source ports. This means that if multiple ports and/or VLANs of a switch are 'copied' or mirrored on one SPAN port and all ports support the same bandwidth (e.g. 10G), packet loss can occur on all ports involved at any time. This means that even productive data can be lost and data at the SPAN port is securely lost, which at least leads to falsified measurements (for whatever purpose).

  2. All data on a monitored source port is forwarded once to the receiving system connected to one of the other switch ports and then copied again and forwarded to the destination port (SPAN). This usually leads to an increase in traffic per monitored source port on this switch. This burdens the entire switch with often unpredictable consequences (increased error rate, higher latencies, etc.) in addition to the data loss that increases with the additional load. However, the extent of these effects always depends on the internal architecture of the respective switch and has to be investigated on a case-by-case basis.

Would you like to find out more?
Ask us your question here or give us a call.

Part 2 will be available here in about two weeks!