Understanding SPAN

Being an network administrator, especially for those who are working with Cisco appliances, they may familiar with this idiom, SPAN. SPAN stands for Switch Port Analyzer or it can also recognized as port mirroring.

Port mirroring is used on a network switch to send a copy of network packet seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic. It will help network expert to do analysis and investigation on their network if there are some cases come in to picture.

Port mirroring is easy to deploy, requiring no physical modifications to other systems. However, port-mirroring implementations can potentially degrade switch performance, such as increased switch CPU load. 

There are two ways to do SPAN, firstly is the regular SPAN, secondly is RSPAN it stands for Remote Switch Port Analyzer. RSPAN would be very useful if we need to capture some traffic from particular nodes which is connected on another switch. RSPAN is possible as long as there is L2 trunking between source switch to destined switch is available and it must allowing desired VLAN to go through.

With the capability of port mirroring, an administrator will be able to see what are the real traffic runs on his/her network. It can captured per VLAN, per IP and per Protocol depends on filter applied.

We can configures port mirroring by assigning a port from which to copy all packets and another port where those packets will be sent. A packet bound for or heading away from the first port will be forwarded onto the second port as well. We must places a protocol analyzer on the port receiving the mirrored data to monitor each segment separately. The analyzer captures and evaluates the data without affecting the client on the original port.