- Switchport Analyzer (SPAN) – Copies ingress traffic from a port/VLAN and sends the frame copies to an egress port for observation
- Also known as local SPAN or port SPAN.
- Source and destination ports are on the same switch.
- Remote SPAN – Allows you to capture traffic on one switch and send it over to a ‘remote VLAN’ to a remote switch that has the destination port.
- The connecting switches must be connected VIA layer 2 and trunked all the way through.
Sources of SPAN Traffic
- One or more ports
- Select direction (RX, TX, both) – Default is both
- one or more VLAN
- Traffic to/from switch CPU
- Remote VLAN (RSPAN destination switches)
- One or more ports (Local SPAN)
- One or more remote VLANS (RSPAN)
- A port identified as a SPAN Destination is ‘monitoring’ – (All other features are disabled on the port)
- Once a destination port is set the only thing the port is good for is sending the traffic to the monitoring device – (normally PC with wireshark).
- A SPAN destination may only belong to ONE SPAN session.
Things to Know
- Do NOT oversubscribe the destination ports. ex: destination port is 1 Fast Ethernet port and you are monitoring 5 x Fast Ethernet ports. The switch will start dropping packets because the receiving (destination) interface is saturated due to the 500Mbps source traffic vs 100Mbps destination port.
- A SPAN source may belong to more than a single SPAN session.
- ex: monitor all traffic on fa 0/1
monitor session <session number> source [interface/remote/vlan]
monitor session 1 source int fa 0/1
- show current SPAN sessions
- ex: set session 1 destination interface for monitor to fa 0/3
monitor session 1 destination int fa 0/3