The Mirroring Mechanic

In a switched environment, traffic is delivered only to the specific port where the destination MAC address resides. To monitor this traffic—for security auditing or troubleshooting—we must instruct the switch fabric to 'mirror' (copy) packets.

Source and Destination Dynamics

A SPAN session consists of a Source (ports or VLANs being monitored) and a Destination (the port where the sniffer/IDS is connected).

• Ingress (RX): Monitors traffic entering the source.
• Egress (TX): Monitors traffic leaving the source.
• Both: Full duplex visibility.

Performance Impact (The CPU Tax)

Most modern enterprise switches perform port mirroring in hardware (ASICs), resulting in zero impact on switching performance. However, entry-level switches or excessive ERSPAN (Encapsulated RSPAN) sessions can place significant load on the Control Plane processor.

ERSPAN: Monitoring the Cloud

In modern data centers, traffic often moves between virtual machines on different hosts. ERSPAN uses GRE (Generic Routing Encapsulation) to tunnel mirrored traffic across a Layer 3 network, allowing you to centralize your monitoring cluster in a different subnet or even a different site.

Conclusion

Effective network visibility is balanced between coverage and capacity. Whether using local SPAN for a quick debug or RSPAN for enterprise-wide security, the fundamental rule remains: ensure your destination port can handle the aggregate bandwidth of your mirrored sources.