Can Unifi Switches support a SPAN port?

bryan.adm · November 4, 2025, 7:23pm

I am running Security Onion, and our current switch is an EOL lower grade Cisco.

I have one port set as a SPAN port to collect network traffic for SO examination.

Since the switch is EOL we are looking to upgrade, and I am not finding an easy answer whether Unifi can support a SPAN port. Hoping to not have to get into Cisco/whatever else with licensing, etc.

If so, it is what it is, but I figured I would ask here.

TIA,

brwainer · November 4, 2025, 7:47pm

Yes, should be supported on all switch models other than “Flex” units. It’s called Port Mirroring.

bryan.adm · November 4, 2025, 8:19pm

I do see the port mirror option, but this is only for one port. I need a SPAN port that will mirror multiple ports for use with a SIEM. I see some workaround that doesnt survive a reboot, so maybe I wont be able to run a UI switch in this case..

We also run a Netgate firewall, so potentially I can pull something from a port there? hopefully someone has some thoughts

LTS_Tom · November 5, 2025, 10:13am

I get needing a port mirror (span port on Cisco) for Security Onion for full traffic but for SIEM we use the UniFi syslog. You can find that under Control Plane → Integrations → Activity Logging (Syslog)

xerxes · November 6, 2025, 2:17am

no SPAN port on Unifi switches. Maybe with the Enterprise line, dunno bout that. a SPAN is really not useful if the ports are quite busy, though. I solved this by mirroring the trunk port connected to the router. That is a “router on a stick”, so might not apply to your situation.

LTS_Tom · November 6, 2025, 11:13am

UniFI calls the Port Mirror and I think it’s supported on most all models (certainly more than just the pro and enterprise)

bryan.adm · November 10, 2025, 8:24pm

I see the port mirror option, but thats just for one port. I guess I misspoke - I am looking to feed SO as an IDS and not necessarily as a SIEM (i do have all of our devices and endpoints shipping logs to SO for its SIEM function)

currently we are running a flat network, so i am not sure if mirroring the uplink port would work (i am not a super network expert)

sadly, it sounds like it is probably not possible at this point using UI switches in a supported way

LTS_Tom · November 10, 2025, 9:05pm

Generally with something like SO you would mirror the uplink port that goes up from the switch to the gateway, not all the ports.