To SPAN the Virtual Network

Yigal Amram By: Yigal Amram November 15, 2018

Switched Port Analyzer (SPAN) is another way of saying “port mirror”. What’s helpful about the term “SPAN” – if you know the acronyms’ description – is that you are then aware that it is related to providing visibility of switch data traffic to other tools.

Port mirroring is the network switch ability to send a copy of network data packets being transmitted over a switch port to a network monitoring or inspection device that is itself connected to the port mirror - a dedicated port on the switch.

Let’s first take a brief look at port mirroring in general, and then we’ll jump in to port mirroring in a virtual network.

Port Mirroring and the Many Flavors of Span and Where They Are Used

Port mirroring may be beneficial to use in different types of network environments, such as local area networks (LAN), virtual local area networks (VLAN), and wireless local area networks (WLAN) – depending on the design requirements. It enhances network visibility by assisting in monitoring and inspecting, identifying, and, finally, troubleshooting network anomalies.

There are several common options for port mirroring

  • Switch Port Analyzer (SPAN) – The standard port mirror connected to the switch.
  • Remote Switch Port Analyzer (RSPAN) – In RSPAN the tool does not need to be directly connected to the switch port mirror. It's like a ‘floating’ port mirror that can be anywhere on the connected Layer 2 network (see more on RSPAN here).
  • Encapsulated Remote Switch Port Analyzer (ERSPAN) – A more advanced form of RSPAN, that overcomes the latter’s Layer 2 link limitations. ERSPAN can send captured packets using Generic Route Encapsulation (GRE) via a routed network.

Use Cases for Port Mirroring
The initial configuration for port mirroring is generally handled by the IT expert who manages the enterprise’s network – for example, the network administrator (NA). Ongoing fine-tuning and configuration updates can be the NA’s responsibility or may be automated through the use of a security monitoring application.

Functionally, port mirroring comprises copying transmitted or received packets from any of the switch ports to a dedicated “mirror” port - its mirroring the traffic from the other ports. We look at the mirrored traffic as ‘source’ and the connected tools on the mirror port as target port or a target device such as a monitoring computer, inspection device, or switch. It is used for enhancing network visibility and monitoring and is typically connected to network switches or similar hardware.

While running the data packets, that input into and output out from a specific port number are automatically copied (‘mirrored’) and transferred to a target port (e.g. monitoring or other destination port). The target port is usually that of the device running monitoring and inspection, or security application that then analyzes the data packets in the traffic flow. The entire port mirroring mechanism is typically transparent, and invisible to the source and other nodes in the network architecture.

Mirror, Mirror on the Virtual Network

How do we monitor traffic on a virtual machine or between virtual machines? Even though the network infrastructure is different, the virtual environment can provide similar functionality to that available in the “real” physical network, even using the same concepts and terminology as tap or port mirror. Today, the virtual environment and virtual machines provided by the vendors typically provide the tools and means to setup virtual monitoring points. This virtual monitoring points are sometimes referred to as virtual taps.

A virtual machine, mirroring data to and from an analysis tool that is configured itself on a virtual machine on the same host, is able to support the virtual mirror using the virtual switch it is connected to.

If the network tool is a physical appliance connected to the host, where the virtual machine (VM) resides, the connection will need to be setup via the host’s network interface card (NIC). The virtual source port of the port mirror session remains the same, but the destination is changed to the uplink port connected to virtual NIC. The mirror packets are sent through the virtual NIC, and from there on to the monitoring tool for analysis.

If you have many VM sources going to several network tools you may want to filter the traffic and to be able to replicate or load balance the traffic to the multiple monitoring and analysis tools. To achieve this you can use to virtual port mirror connections as feeds into a NPB or a virtual NPB. Also, a dedicated virtual tap, as opposed to one built-into the VM environment, may offer additional filtering and other select packet broker features.

Virtually Switching

As mentioned earlier, virtual switches (known as vSwitches) work very similarly to physical switches, though they are not as configurable as physical switch devices. They do, however, support the following functionality:

  • Multiple vSwitches can be created on each host.
  • Physical host supporting the virtual switches are connected to the physical network using network interface cards ( NICs) and cables (called "uplinks" in a virtual infrastructure).
  • Virtual LANs (VLANs) are fully supported. A switch port can be either an access port or a trunk port.
  • Standard switch features, such as load balancing, are also available in a virtual environment.


Port mirroring is a quick and easy way to achieve to get visibility using your existing network infrastructure and without introducing additional devices. This can be accomplished both on the physical network and in virtual networks on virtual machines.

In may use cases port mirroring can be supplemented with network packet broker functionality to filter unwanted or unneeded traffic or to aggregate the traffic to dedicated centralized network analysis tools.

Niagara Networks are industry specialists in network visibility and ensuring the most high-performance Network solutions are available for your enterprise and network needs. Contact us to find out more about Niagara Networks solutions or to schedule a consultation with one of our network visibility experts.

 New call-to-action