Site oloration.com

SPAN Port Configurator Best Practices: Avoiding Common Pitfalls

Written by

admin-dfv33

in

SPAN Port Configurator: Quick Reference and Command Examples

What it is

SPAN (Switch Port Analyzer) Port Configurator is a tool or feature used to configure SPAN/mirror sessions on network switches so traffic from one or more source ports or VLANs is copied to a destination (monitor) port for analysis with packet captures, IDS/IPS, or monitoring tools.

Common terms

  • Source: Port(s) or VLAN(s) whose traffic is copied.
  • Destination (monitor) port: Port that receives mirrored traffic; connect your analyzer here.
  • Session: A single mirroring instance (some switches support multiple).
  • Ingress/Egress: Direction of traffic being mirrored (ingress = incoming, egress = outgoing).
  • Encapsulation: How mirrored traffic is delivered (e.g., native, ERSPAN for tunneled remote mirroring).

Typical constraints

  • Destination port usually cannot simultaneously be a regular switching port for production traffic.
  • Mirrored traffic may overwhelm the destination link; use filters or sampling if supported.
  • Hardware limits: number of simultaneous sessions and sources per session vary by platform.
  • When mirroring VLANs, mapped ports/trunk behavior differs by vendor.

Example command patterns (vendor-agnostic)

  • Create/enter SPAN configuration mode: router# configure terminal router(config)# monitor sessionsource interface both router(config)# monitor session destination interface

  • Add VLAN as source: router(config)# monitor session source vlan

  • Remove a source or session: router(config)# no monitor session source interface router(config)# no monitor session

Cisco IOS example

  • Mirror both directions from GigabitEthernet1/0/1 to GigabitEthernet1/0/24: 
    Code
    configure terminal monitor session 1 source interface Gi1/0/1 both monitor session 1 destination interface Gi1/0/24 end
  • Add remote ERSPAN (simplified): 
    Code
    configure terminal monitor session 2 type erspan-source monitor session 2 source interface Gi1/0/2 both monitor session 2 destination ip 10.0.0.100 end

Juniper (Junos) example

  • Local port mirroring: 
    Code
    set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access set forwarding-options port-mirroring input ingress interface ge-0/0/0 output interface ge-0/0/7 commit
  • Mirror VLAN: 
    Code
    set forwarding-options port-mirroring input ingress vlan members 100 output interface ge-0/0/7 commit

Linux (tc) example for simple mirroring

Code
# mirror eth0 ingress to eth1 tc qdisc add dev eth0 ingress tc filter add dev eth0 parent ffff: protocol all u32 match u8 0 0 action mirred egress redirect dev eth1

Troubleshooting checklist

  1. Verify session: show monitor session (Cisco) / show port-mirroring (Juniper).
  2. Check destination port state: ensure link up and no STP/blocking.
  3. Confirm direction: use ingress/egress/both as needed.
  4. Watch for dropped packets: mirrored traffic can exceed destination bandwidth.
  5. Ensure analyzer promiscuous mode and proper capture filters.

Best practices (brief)

  • Use dedicated destination ports or TAPs.
  • Limit mirrored traffic with ACL filters or sampling.
  • Prefer hardware-based mirroring for high-throughput links.
  • Document sessions and clean up unused ones.

Quick reference cheatsheet

  • Create session: monitor session source … destination …
  • Add VLAN: monitor session source vlan
  • View: show monitor session
  • Delete: no monitor session

If you want, I can provide commands tailored to a specific vendor/model or a sample ERSPAN configuration with IP and tunnel parameters.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts