They say “Knowledge is Power”, well I believe that “Applied Knowledge, is Power”.
– Eric Thomas.
Being a network administrator for the past 8 years, I have learned many lessons through experience and learning. Key among these is that the more you know your network, and the more you can see on your network, the more effective you will be as a network admin.
There is true power in being able to monitor all the traffic that flows through your network. Seeing all of this traffic lets you quickly and effectively find and fix problems. To be able to quickly see a point of failure, identify which user, or which traffic is causing the issue and fix it, really is a skill that you cannot put a price on.
I always look for the simplest, most effective way to solve a problem, often this method is cost-effective (free) to implement and use.
Network SPAN or Switched Port ANalyzer is a method of network monitoring that Mirrors traffic that is flowing through a CISCO network switch and sends that data to a Traffic Analyzer like Wireshark.
Network SPAN sometimes called Port Mirroring, makes a copy of any traffic that is flowing through a switch port, and sends it to another Port. The port where the traffic is sent to is directly connected to your Network Traffic Analyzer.
This method of traffic monitoring is not only free, but it’s also easy to set up and implement. With a few commands, Network SPAN can be running on your network in minutes.
Network Traffic Analyzer
This is a computer or server that has network traffic analysis software installed on it. The purpose of this device is to receive your mirrored or copied traffic from your network and analyze it. After being analyzed it will then give you meaningful reports to help you take action depending on what you see. This device or software also gives you a real-time view of traffic on your network.
Some examples of traffic analyzers include solutions like Solarwinds, Wireshark (free), Manage Engine (Link-also free).
Source SPAN Port
The Source SPAN Port is the port being mirrored or monitored. SPAN can also be used to monitor an entire VLAN. The best practice is to set up SPAN as close to the source of the item you want to monitor. e.g if you want to monitor internet traffic, setup SPAN on the port that connects to your internet gateway device. If you want to monitor traffic related to your internal email services, set up SPAN on the switch port that faces your internal email server.
Destination SPAN Port
The Destination SPAN Port is the port that connects to your Network Traffic Analyzer. This is normally only a single port because it is expected that only one device on your network will do the traffic analysis.
Once setup network SPAN will mirror both incoming and outgoing traffic flowing through the specified source port or VLAN. The magic then happens on the traffic analyzer, which will spit out meaningful information that you as the network admin will use to make decisions about your network.
SPAN Configuration (CISCO Catalyst SWITCH)
It only takes two commands to setup SPAN.
CISCO-Catalyst(config)# monitor session 1 source interface fastethernet 0/1
~ this makes fastethernet 0/1 your source port. any traffic flowing here will be mirrored (copied)
CISCO-Catalyst(config)# monitor session 1 destination interface fastethernet 0/24
~ all mirrored traffic is sent here. this port should be connected to your network traffic analyzer.
To verify your Network SPAN implementation
CISCO-Catalyst# show monitor session 1
~ Sample output~
Session 1
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports: Fa0/24
Encapsulation : Native
Ingress: Disabled
For a more detailed look at how to configure SPAN and its additional features, check out this CISCO link.
TAP – Test Access Point
Network Test Access Point or TAP for short is an alternative to SPAN. Network TAP is a paid solution, compared to Network SPAN which is free. TAP is implemented using a physical device that you plug into your network to mirror traffic that flows through the source port. TAP is more plug and play because it does not need any configuration changes to be made. The TAP device will then forward all the mirrored traffic to the network analyzer.
SPAN vs TAP
My simple recommendation is if you have some cash to spare, get yourself a TAP device. If not SPAN combined with a free analyzer like Wireshark is an effective alternative.
Unlike SPAN, a TAP device will not drop (or fail to mirror) any traffic when the port is overwhelmed with traffic. In normal situations, traffic drops will not occur, but when there is a high amount of traffic on your network, the chance of SPAN dropping traffic exists.
I personally use SPAN on the networks I administer because it helps to give me an in-depth look at what traffic actually flows on my network.
you will also want to check out this awesome info-graphic from Garland Technology that shows a side by side comparison between SPAN and TAP. It really tells you all you need to know about the two offerings.
Happy Network Monitoring. And don’t forget to check out my other posts here.
Also, check out my resources page for some handy free and paid resources that have been valuable to me during my career as a Network Engineer.