SPAN Ports Disadvantage

Port mirroring is an approach to monitoring network traffic that involves forwarding a copy of each packet from one network switch port to another. Span Port (Port Mirroring) is not passive technology. Passive
means “have no effect and impact”. Using of Span is easy and fast deployed, but has some huge impacts.

It puts an increased load onto the switch that often increases CPU or memory requirements

  • Span Ports are limited, there is no scalability
  • Spanning or mirroring changes the timing of the frameinteraction (what you see is not what you get)
  • The spanning algorithm is not designed to be the primary focus or the main function of the device like switching or routing so the first priority is not spanning and if replicating a frame becomes an issue, the
    hardware will temporally drop the SPAN process
  • If the speed of the SPAN port becomes over loaded frames are dropped
  • Proper spanning requires that a network engineer configure the switches properly and this takes away from the more important tasks that network engineers have and many times configurations can become a political
    issue (constantly creating contention between the IT team, the security team and the compliance team)
  • SPAN port drops all packets that are corrupt or those that are below the minimum size, so all frames are not passed on. All of these events can occur and no notification is sent to the user, so there is no guarantee that one will get all the data required for proper analysis.

In summary, the fact that SPAN port is not a truly passive data access technology or even entirely non-intrusive can be a problem particularly for Data Security Compliance monitoring or Lawful Intercept. Since there is no guarantee of absolute fidelity, it is possible or even likely that evidence gathered by this monitoring process will be challenged in the court of law.