Switch Port Analyzer (SPAN)

Switch Port Analyzer (SPAN) is switch specific tool that copies Ethernet frames passing through switch ports and send these frames out to specific port. Switch itself doesn’t analyze these copied frames, it send frames out of specific port to network analyzer. A Network analyzer may be purpose build hardware appliance or an application running on the host. The analysis of these frames are done to troubleshoot network. Sometimes frame analysis is also done to dig out contents of frame to find any malicious content hidden inside the frame.

Infact, you can also install network analyzer on your PC (eg. Wireshark network analyzer) and start analyzing Ethernet frames and 802.11 frames out of Ethernet NIC and wireless NIC respectively.

Working of Span :
Consider the figure given below containing switch, server, PC and network analyzer. Until the configuration of SPAN on switch, the frames flow normally from PC to server and vice-versa. But after the configuration of SPAN on switch, switch starts making copies of frames passing through its ports and send them to network analyzer.

Figure – Frame copying and forwarding in SPAN

Switch copies frames after transfer of frames out of port and then send it to network analyzer. The rule of “from which ports to copy frames and where to send copied frames” is defined in SPAN session. You can define many SPAN sessions on switch.

There may be more than one source ports but only one destination port in SPAN session. Port from where frames are copied is called Source port and Port out of which copied frames are send is called Destination port. SPAN session can be defined on ports for traffic flowing in both directions or in single direction. A span session can be defined on VLANs also, switch will then copies frames from all ports in that vlan. But you cannot define session containing both ports and vlans. A span session must contain either ports only or vlans only.

Remote SPAN and Encapsulated Remote SPAN :
Consider situation, what if destination port is not present on switch where span is configured. Cisco provides two solution for this problem, RSPAN and ERSPAN.

RSPAN uses vlan to encapsulate frames in 802.1Q frame header (header defining belonging of frame to specific vlan) and send it over the network. ERSPAN is applicable on Layer 3 switches, it encapsulates the span traffic in GRE tunnel and forwards the traffic to network.

Some Important Rules Regarding SPAN :

  • One SPAN session contains only one destination port.
  • No two SPAN sessions have same destination port.
  • Destination port can’t be used as source port.
  • Destination port doesn’t act normally, It no longer learn MAC-addresses.
  • A SPAN session may contain multiple source ports.
  • A SPAN session can not mix ports and vlans.

Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.

My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.

Article Tags :
Practice Tags :

Be the First to upvote.

Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.