Cisco switches have a feature that allows all traffic from one port to be mirrored and directed to another port. This feature is called SPAN (Switch Port Analyzer).
There are many reasons for wanting to SPAN traffic from one port to another, it could be for compliance reasons, data collection purposes, or supporting a particular monitoring application. It can also be used to troubleshoot VoIP or networking issues to verify what data is actually being passed through a port.
SPAN sessions can be sourced from a port or a VLAN, the session then directs the traffic to a destination port or VLAN. When the destination port is local to the same switch that the SPAN is sourcing from, is referred to as simply a SPAN session.
Sessions that direct traffic to a remote port via a VLAN is referred to as an RSPAN (Remote SPAN) session. In RSPAN a specific VLAN is configured across the network to carry the mirrored source traffic from the source port to the remote port off a different switch.
The VLAN that’s created for the RSPAN is referred to as the RSPAN VLAN.
Encapsulated Remote Source Port Analyzer (ERSPAN) actually does what it says and encapsulates the source traffic in a GRE header and tunnels the SPAN traffic to a remote layer 3 endpoint through a GRE tunnel. This is primarily used to send traffic to a remote SPAN port across a layer 3 domain.
A SPAN source port can be any kind of port, on a SPAN VLAN all ports on a VLAN are monitored. As you add or remove ports on that VLAN ports are dynamically added or removed from the SPAN session. The destination port that traffic is being directed to cannot be part of the VLAN being monitored.
Other key restrictions include the following:
- When a port is configured to be a destination port its original configuration is overriden…once the SPAN is removed the original configuration is restored on the port.
- When a destination port configured is part of an etherchannel bundle, it is removed from the bundle while the SPAN is active.
- Destination ports do not support port security, 802.1x authentication, or private VLANs.
- Destination ports do not support any layer 2 protocols including CDP, SPT, VTP, DTP, and so on.
- The source port can be one or more ports or a VLAN, but not a mix of these.
- up to 64 SPAN destination ports can be configured on a switch.
- Be careful to avoid overloading the destination port, for example if you’re monitoring a VLAN with multiple ports in it, and sending all that traffic to a single destination port, could cause problems with congestion at the destination port.
- A SPAN destination port cannot also be a source port or vice versa
- Only one SPAN session can be sent to any particular destination ports, you cannot send multiple SPAN sessions to the same destination port.
- When a trunk is set as the source of a SPAN all VLANs are monitored in the session on the trunk. You can use the filter vlan command to prune the VLANs you’re uninterested in.
- Any traffic routed to a souce VLAN that’s being monitored from another VLAN will not be monitored. Only ports participating in the SPAN VLAN will mirror their traffic to the destination port.
SPAN sessions can support three types of traffic: transmitted, received, or both.
- For receive SPANs, all traffic received on the source port is transmitted to the destination port, no traffic transmitted on the port outbound is mirrored to the destination.
- For transmit SPANs, all traffic transmitted out the source port is mirrored to the destination port, no traffic received on that port is sent to the destination port in the SPAN.
- SPAN sessions will usually ignore layer 2 frames such as CDP, BPDUs, or VTP however you can include these frames in a SPAN by configuring the encapsulation replicate command.