Port Mirroring in Switches and In-line

network taps

This article elaborates on what is port mirroring, what are its applications, some of the
features of port mirroring, advantages and dis-advantages of port mirroring in network
switches. We also take a look in to the alternative of port mirroring called In-line Network
taps, their advantages and dis-advantages.

What is Port Mirroring in Network Switches?

Certain network switches can forward the copy of all in-bound and outbound traffic
(packets) from one port (or multiple ports like a VLAN group) to another port designated
by an administrator, simultaneously without affecting the normal operation of a switch.
This is required for monitoring the network traffic (using a protocol analyser, for example),
monitoring the performance of a switch and other applications as mentioned below:

Applications of Port Mirroring:

¤ Network Monitoring: Port mirroring could be used for monitoring switch traffic for
applications like enforcing policies concerning network usage, file sharing etc, locating
abnormal or heavy bandwidth usage from particular stations or applications.

¤ Intrusion Detection (IDS): Port mirroring can be used to monitor all incoming traffic for
any anomalous or abnormal behaviour. This can be done by using a separate application
like a protocol analyser/IDS System which can analyse all the incoming packets without
affecting the normal operation of the switch.

¤ Call Logging for IP Phones: A network switch can forward to the IP Logging
(Recording) server/ application, a copy of all the packets sent or received by IP Phones as
all VOIP Calls need to go through the IP PBX. But this way, all the calls are recorded
“unobtrusively”.
¤ Data Leakage Prevention through the Web: Certain application use Port Mirroring to
monitor the traffic that is being sent to the internet by the users. This can enable those
DLP applications to analyse if certain confidential information like medical records/ credit
card information/ IP designs etc. are being sent to some one en-masse through webmail
etc.

Features: Generally there is a limit to number of ports that you can configure as
“mirrored” ports and normally the bi-directional traffic is dis-allowed on mirrored ports and
traffic is only allowed in to the ports. You can either set the switch to forward all the
packets to the mirrored port or send one in x number of packets for statistical sampling
(some applications may not need all the packets for analysis). In certain switches the port
mirroring can be used along with a firewall by setting up a filter to select certain packets
for port mirroring.

Advantages of Port Mirroring: Since single port or multiple ports (selectively) can be
monitored over a normal network switch (without the need of any additional components),
port mirroring is more economical, simple to set up, easy to use and does not interrupt the
normal network processes.

Dis-advantages of Port Mirroring: Port mirroring can cause buffer overflow and dropped
packets since all the packets go through a buffer in the switch. So, accurate time sensitive
measurements like jitter, packet gap analysis or latency measurement can become
difficult. Also, there is additional load imposed on the CPU of the switch affecting the
operational performance of the switch.

In-line Network Taps:

In-line taps are passive components that are inserted directly in to a link for copper
cables. They re-transmit the data stream back to the link and the probe. So, this way, the
lines maybe tapped to monitor network information for that port, without the network being
aware of it. There are even passive optical taps available for traffic monitoring in optical
cables that contain a pair of passive optical beam splitters which divides the light entering
each channel and separately channeled out to the link and to the probe.

Advantages of network taps: Network taps are passive components and are invisible to
the network. They are more accurate in monitoring network traffic/ analysis (especially the
traffic which depend on the timing values) and can see 100% of traffic on that link
(meaning there is no packet drops with this method).
Dis-advantages of network taps: An extra component needs to be purchased per link
(as they can be installed only on one link at a time) and simultaneous monitoring of
multiple ports may not be feasible.