Last updated at Mon, 18 May 2020 15:31:12 GMT

Looking for an alternative for SPAN ports?

SPAN (Cisco) or mirror (everyone else) ports are an excellent data source for network security monitoring and traffic analysis. With them, you can monitor single or multiple ports or VLANs, and they give you access to packet payloads rather than just header information that you get with flow data.

But what if you don’t want to use SPAN ports, but you still need a source of network packets? Maybe you have used up your SPAN ports or maybe you don’t have access to your switch infrastructure. The good news is, there are alternatives. Here are the top five that you will get on most networks:

Top 5 Alternatives For SPAN or Mirror Ports

Network TAP

  1. Port aggregator
  2. Network visibility solutions
  3. Virtual switches
  4. A spare switch to create more SPAN sessions

Network TAP

A network TAP (Test Access Point) is a hardware device that enables network and security personnel to access packet data passing through a network. Taps are passive devices.

Not so long ago, when TAPs were expensive, there was a cheaper option: a simple network hub! However, it is actually quite difficult to purchase a hub these days!

Most taps pass all seven layers of OSI network traffic (including layer 1 and layer 2 errors) and do not interfere with the performance of the network or the data stream of the network traffic.

They are a low-cost option if you want to monitor single ports, but more advanced versions are available that allow for many-to-one port mirroring. The following diagram shows a typical use case. A TAP is used to take a copy of traffic going to/from a firewall and sends a copy to a network monitoring tool.

Port aggregation TAP

A port aggregation TAP is a hardware device that allows you to aggregate the data from multiple source or destination ports. It is not to be confused with the port aggregation protocol, which is Cisco proprietary. The most common use case for port aggregators is where you have multiple source ports that you want to monitor with a single network monitoring tool.

Network visibility solutions

Network visibility appliances include dedicated application processors pre-loaded with packet analyzers, network performance, and security/performance applications on a KVM software environment. Network engineers select traffic to stream or capture for diagnostics, and onboard storage is included for traffic analysis software and data files.

Virtual switch monitoring

Most data centers now host one or more hypervisor platforms. VMWARE ESX and Microsoft Hyper-V are the most popular, and both come with options for virtual packet capture.

VMWARE uses VLAN 4095 for monitoring purposes. You need to create a virtual switch for monitoring purposes and assign VLAN 4095 to this. Once the virtual switch is in place, you can connect your network monitoring tools to this.
Hyper-V monitoring is very similar in that you create a virtual switch for monitoring purposes. Instead of VLAN 4095, you set ports as destinations for monitored traffic. Microsoft has more information in this blog post.

Use a spare switch to create more SPAN sessions

If you have a shortage of SPAN ports, network switches can be used to double the number available. You need to connect the SPAN port from one switch to another spare one. Create a new VLAN on the new switch which is used for network monitoring purposes. There is no need to replicate this VLAN on other switches on your network. Once the VLAN is configured, you can create two SPAN sessions which use this VLAN as a data source.

[On-Demand Demo] See How Our SIEM Solution Monitors and Analyzes Network Traffic

Watch Now