This article elaborates on what is port mirroring, what are its applications, some of the features of port mirroring, advantages and dis-advantages of port mirroring in network switches. We also take a look in to the alternative of port mirroring called In-line Network taps, their advantages and dis-advantages.

What is Port Mirroring in Network Switches?

Certain network switches can forward the copy of all in-bound and outbound traffic (packets) from one port (or multiple ports like a VLAN group) to another port designated by an administrator, simultaneously without affecting the normal operation of a switch. This is required for monitoring the network traffic (using a protocol analyser, for example), monitoring the performance of a switch and other applications as mentioned below:

Applications of Port Mirroring:

¤ Network Monitoring: Port mirroring could be used for monitoring switch traffic for applications like enforcing policies concerning network usage, file sharing etc, locating abnormal or heavy bandwidth usage from particular stations or applications.

¤ Intrusion Detection (IDS): Port mirroring can be used to monitor all incoming traffic for any anomalous or abnormal behaviour. This can be done by using a separate application like a protocol analyser/IDS System which can analyse all the incoming packets without affecting the normal operation of the switch.

¤ Call Logging for IP Phones: A network switch can forward to the IP Logging (Recording) server/ application, a copy of all the packets sent or received by IP Phones as all VOIP Calls need to go through the IP PBX. But this way, all the calls are recorded “unobtrusively”.

¤ Data Leakage Prevention through the Web: Certain application use Port Mirroring to monitor the traffic that is being sent to the internet by the users. This can enable those DLP applications to analyse if certain confidential information like medical records/ credit card information/ IP designs etc. are being sent to some one en-masse through webmail etc.

Features: Generally there is a limit to number of ports that you can configure as “mirrored” ports and normally the bi-directional traffic is dis-allowed on mirrored ports and traffic is only allowed in to the ports. You can either set the switch to forward all the packets to the mirrored port or send one in x number of packets for statistical sampling (some applications may not need all the packets for analysis). In certain switches the port mirroring can be used along with a firewall by setting up a filter to select certain packets for port mirroring.

Advantages of Port Mirroring: Since single port or multiple ports (selectively) can be monitored over a normal network switch (without the need of any additional components), port mirroring is more economical, simple to set up, easy to use and does not interrupt the normal network processes.

Dis-advantages of Port Mirroring: Port mirroring can cause buffer overflow and dropped packets since all the packets go through a buffer in the switch. So, accurate time sensitive measurements like jitter, packet gap analysis or latency measurement can become difficult. Also, there is additional load imposed on the CPU of the switch affecting the operational performance of the switch.

In-line Network Taps:

In-line taps are passive components that are inserted directly in to a link for copper cables. They re-transmit the data stream back to the link and the probe. So, this way, the lines maybe tapped to monitor network information for that port, without the network being aware of it. There are even passive optical taps available for traffic monitoring in optical cables that contain a pair of passive optical beam splitters which divides the light entering each channel and separately channeled out to the link and to the probe.

Advantages of network taps: Network taps are passive components and are invisible to the network. They are more accurate in monitoring network traffic/ analysis (especially the traffic which depend on the timing values) and can see 100% of traffic on that link (meaning there is no packet drops with this method).

Dis-advantages of network taps: An extra component needs to be purchased per link (as they can be installed only on one link at a time) and simultaneous monitoring of multiple ports may not be feasible.

excITingIP.com

In case you have any questions, you can get in touch with us using the contact form or leave a comment below. You can also participate in the discussions in the Forum.