Switch Port Analyzer (SPAN) is switch specific tool that copies Ethernet frames passing through switch ports and send these frames out to specific port. Switch itself doesn’t analyze these copied frames, it send frames out of specific port to network analyzer. A Network analyzer may be purpose build hardware appliance or an application running on the host. The analysis of these frames are done to troubleshoot network. Sometimes frame analysis is also done to dig out contents of frame to find any malicious content hidden inside the frame.
Infact, you can also install network analyzer on your PC (eg. Wireshark network analyzer) and start analyzing Ethernet frames and 802.11 frames out of Ethernet NIC and wireless NIC respectively.
Working of Span :
Consider the figure given below containing switch, server, PC and network analyzer. Until the configuration of SPAN on switch, the frames flow normally from PC to server and vice-versa. But after the configuration of SPAN on switch, switch starts making copies of frames passing through its ports and send them to network analyzer.
Switch copies frames after transfer of frames out of port and then send it to network analyzer. The rule of “from which ports to copy frames and where to send copied frames” is defined in SPAN session. You can define many SPAN sessions on switch.
There may be more than one source ports but only one destination port in SPAN session. Port from where frames are copied is called Source port and Port out of which copied frames are send is called Destination port. SPAN session can be defined on ports for traffic flowing in both directions or in single direction. A span session can be defined on VLANs also, switch will then copies frames from all ports in that vlan. But you cannot define session containing both ports and vlans. A span session must contain either ports only or vlans only.
Remote SPAN and Encapsulated Remote SPAN :
Consider situation, what if destination port is not present on switch where span is configured. Cisco provides two solution for this problem, RSPAN and ERSPAN.
RSPAN uses vlan to encapsulate frames in 802.1Q frame header (header defining belonging of frame to specific vlan) and send it over the network. ERSPAN is applicable on Layer 3 switches, it encapsulates the span traffic in GRE tunnel and forwards the traffic to network.
Some Important Rules Regarding SPAN :
- One SPAN session contains only one destination port.
- No two SPAN sessions have same destination port.
- Destination port can’t be used as source port.
- Destination port doesn’t act normally, It no longer learn MAC-addresses.
- A SPAN session may contain multiple source ports.
- A SPAN session can not mix ports and vlans.