SWITCH PORT ANALYZER (SPAN)

The main purpose of this SPAN technology is to see the traffic on the other port without connecting your PC to that port as a Network Admin you need to keep an eye if anything thing suspicious happens on that particular port or ports and also for troubleshooting purposes.

• SPAN is also referred to as a Port-Mirroring
• Copy Packets are sent to a traffic-Analyzer
• Analyzer Aggregates and sends data in a Visual Manager
• Source means the ports that are getting monitored
• The monitor can both transmit and receive
• Transmit (Tx) | Receive (Rx)
• Monitored traffic source can be a VLAN
• It can reside on separate VLANNote: Source and Destination cannot be on the same port.

There are basically 3 types of SPAN:-

1. Local SPAN (SPAN)
2. Remote SPAN (RSPAN)
3. Encapsulated Remote SPAN (ERSPAN) -- Cisco Proprietary

1. Local SPAN

Here traffic is captured and mirrored locally i.e.; on the same switch

Configuration of Local SPAN

Sw-1>enable

Sw-1#conf t

Sw-1(config)#monitor session 1 source interface <monitored-device-port-no>

Sw-1(config)#monitor session 1 destination interface <Analyzer-server-port-no>

Sw-1(config)#end

2. Remote SPAN

It can Monitor multiple remote switches, where traffic is copied to the central traffic analyzer.

Configuration of Remote SPAN

Sw-1>enable

Sw-1#conf t

Sw-1(config)#monitor session 2 source vlan 200

Sw-1(config)#monitor session 2 destination interface Gi0/3

Sw-1(config)#end

Sw-2>enable

Sw-2#conf t

Sw-2(config)#monitor session 2 source interface Gi0/0 - 1

Sw-2(config)#monitor session 2 destination remote vlan 200

Sw-2(config)#end

3. Encapsulated Remote SPAN (ERSPAN)

It's a Cisco Proprietary technology that ensures that the traffic carried over a trunk is encapsulated using generic routing encapsulation such that if someone tries to capture the traffic passing through the trunk they aren't able to spy on it because the packets are encapsulated in (GRE-Generic Routing encapsulation).