Practical cases to use Port Mirroring

Mary Leon · ‎02-05-2021

Hello, everyone:

I have read about Port Mirroring and I think I get the idea and I also know how to implement it.

Now, I would like to know practical and concrete scenarios where I could use it, for instance: a user is having problems with her connection which gets interrupted every x minutes or to send traffic to a syslog server or to avoid arp spoofing, etc.

I would like to hear from experienced network administrators, in which concrete cases it can help to solve a problem.

Thank you in advance.

balaji.bandi · ‎02-05-2021

Most of the se case to identify the problem - being in the middle to undertand the issue (it can be user device or network) You can mirror the traffic using SPAN port for many troubleshoot issues, you can use wireshark to analyse the data.

here is some good guide lines and how to explain more : (hope that help you)

https://community.cisco.com/t5/networking-documents/understanding-span-rspan-and-erspan/ta-p/3144951

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html

https://www.youtube.com/watch?v=GyDpkVoix00

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎02-05-2021

In general, SPAN (which is almost always used in conjunction with a network sniffer) is used to diagnose network problems and analyze overall network and application activity. Problems are typically applications performing poorly. It is also used to analyze security risks, as you have packet level insight.

I was asked to use SPAN once to spy on a colleague (which I refused), who was suspected of using the Internet for private purposes.

Mary Leon · ‎02-06-2021

Thank you, Georg.

I appreciate your practical examples. Technically, it is easy to find how to do Port Mirroring, but how and when to use it, it was harder.

Thank you again.

balaji.bandi · ‎02-06-2021

In normal cases most of the network tools you able to identify the network issue, but you looking deep inspection of the packet and you never know random issues in the network it will help the span port give you some information to investigate the issue.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎02-07-2021

Hello
Span or Mirroring enables you to attach a network capture device such as a pc running wireshark and begin to capture network traffic from a specific source port(s) or vlans

By default if you just attach your capture device to a port on the switch it will capture all BUM traffic on from vlan that port is assigned to even without you configuring anything

Now if you wish to be specific to what port(s)- vlan(s) or remote vlan(s) you want to capture traffic from them you need to configure span

On such example would be to capture traffic from a specific port or vlan to see what traffic is traversing the specific source port /vlan so you can then check that capture in a network analyser to what is causing network issues for that particular user(s)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎02-07-2021

As the other posters have noted, port mirroring is normally used to be able to examine traffic on another port without attaching, in-line, to that port. Further, the most "advanced" version of SPAN allows port mirroring across an IP network. So, for example, I've used that SPAN version to examine packets from one coast of the US to the other (literally).

I also understand port mirroring is sometime used for to feed a security monitoring device, again without the need to place the device physically in-line.