An SPAN port [Switched Port Analyzer] is a dedicated port on a switch that mirrors network traffic within the switch and sends it somewhere else. It is typically a monitoring device or another tool used to diagnose or analyze traffic issues. Using a SPAN port [also known as a mirror port], data passing through a switch or router is mirrored onto an assigned SPAN port. The administrator can configure and change the tracking parameters using software. In order to monitor and analyze network traffic, the two most common ways are to use network TAP [test access point] and SPAN [port mirroring]. The SPAN port lets you view a copy of network traffic as it passes through a network switch. This feature is also known as port mirroring or port monitoring. A copy of the packets on one switch port [or a whole VLAN] can be sent to another switch port with it. Taps are devices used for passively copying network data on a network without
modifying it. Ports such as mirror ports and SPAN ports are found on network switches at Layer 2 and 3. devices, which means you will have to program them if you would like them to copy data. so that packets directly copied from one interface [the source] are sent erfaces together such that packets from one interface [the source] are directly copied to another [the destination]. Depending on the platform, this feature may also be known
as a "mirror port.". IDS/IPS, monitoring systems, log loggers, and statistic systems all use SPAN ports. This HTML element is used to create a generic inline container for the assignment of content words. It does not have any inherent meaning. You can use it to group elements for styling and representing their attributes [using class and ID attributes]. Or, you can do it when they share attribute values, such as lang. It is a port used for connecting the monitor and computer, thereby enabling the computer's output to be displayed on the monitor. It is possible to connect either analog or digitally. A lot of portable devices, including laptops, have monitor ports built in as part of the hardware, modules, and sockets. Switched Port Analyzers [SPANs] allow a mirrored copy of incoming network
traffic from the switch to be sent to another switch. It is typically a monitoring device or another tool used to diagnose or analyze traffic issues. a feature of network switches that makes it possible to send a copy of packets seen on one switch port [or an entire VLAN] to another switch port for network monitoring. Monitoring performance and alerting administrators about potential problems is one of the key benefits. SPAN ports monitor source ports as they move to their destination. Most network analyzers are connected to the network at this point. A remote span [RSPAN] is when there are no switches between the source and destination. Spanning Point Acquisition Networks [SPAN] enable a switch to mirror traffic from one physical port to another port to feed out-of-band security tools, such as
probes, intrusion detection systems, network recorders, and network analyzers, without compromising security. Network sniffers and other monitoring devices can be connected to the network via this arrangement without creating an inline connection for them. Similarly, switched port analyzer [SPAN] ports can provide the same functionality, but are located on the switch, so are not required to be deployed separately. Network analyzers use the Switched Port Analyzer [SPAN] feature to determine traffic to be analysed. This feature is often referred to as Port Mirroring or Port Monitoring. In addition to Cisco SwitchProbe devices, other Remote Monitoring [RMON] probes can be used as network analyzers.What is a monitoring or span port What is it used for?
What is SPAN port and why is it used for?
What is span security?
What is a monitoring or SPAN Switched Port Analyzer ]] port What is it used for?
What is a tap or span port?
What is a span interface?
What is span useful for?
What is a monitoring port?
What is span used for in networking?
Why do we use port mirroring?
What is SPAN destination port?
Why is span needed?
Why is span useful to cybersecurity analysts?
What is switched port analyzer span?
[starbox]
Last Updated on Sun, 06 Nov 2022 | CCIE
Cisco, cam
© 2002, Cisco Systems, Inc. All rights reserved. Cisco CCIE Prep v1.0—Module 5-65
You can analyze network traffic passing through ports or VLANs by using SPAN to send a copy of the traffic to another port on the switch that has been connected to a SwitchProbe device or other Remote Monitoring [RMON] probe. SPAN mirrors received or sent [or both] traffic on a source port and received traffic on one or more source ports or source VLANs, to a destination port for analysis.
For example, in the figure above, all traffic on port 5 [the source port] is mirrored to port 10 [the destination port]. A network analyzer on port 10 receives all network traffic from port 5 without being physically attached to port 5.
Only traffic that enters or leaves source ports or traffic that enters source VLANs can be monitored by using SPAN; traffic that gets routed to ingress source ports or source VLANs cannot be monitored. For example, if incoming traffic is being monitored, traffic that gets routed from another VLAN to the source VLAN is not monitored; however, traffic that is received on the source VLAN and routed to another VLAN is monitored.
Creating a SPAN Session and Specifying Ports to Monitor
Beginning in privileged EXEC mode, follow these steps to create a SPAN session and specify the source [monitored] and destination [monitoring] ports:
Table 5-41: SPAN Session
Command | Purpose |
no monitor session {session number | all | local | remote} | Clear any existing SPAN configuration for the session. For session number, specify 1 or 2. Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. |
monitor session session number source interface interface-id [, | -] [both | rx | tx] | Specify the SPAN session and the source port [monitored port]. For session number, specify 1 or 2. For interface-id, specify the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces [port-channel port-channel-number]. [Optional] [, | -] Specify a series or range of interfaces. Enter a space after the comma; enter a space before and after the hyphen. [Optional] Specify the direction of traffic to monitor. If you do not specify a traffic direction, the source interface sends both sent and received traffic. Only received [rx] traffic can be monitored on additional source ports. ■ both—Monitor both received and sent traffic. ■ rx—Monitor received traffic. ■ tx—Monitor sent traffic. |
monitor session session number destination interface interface-id [encapsulation {dotlq | isl}] | Specify the SPAN session and the destination port [monitoring port]. For session number, specify 1 or 2. For interface-id, specify the destination port. Valid interfaces include physical interfaces. [Optional] Specify the encapsulation header for outgoing packets. If not specified, packets are sent in native form. isl—Use ISL encapsulation. dotlq—Use 802.1Q encapsulation. |
Removing Ports from a SPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session: Table 5-42: SPAN Source | |
Command | Purpose |
no monitor session session number source interface interface-id [, | -] [both | rx | tx] | Specify the characteristics of the source port [monitored port] and SPAN session to remove. For session, specify 1 or 2. For interface-id, specify the source port to no longer monitor. Valid interfaces include physical interfaces and port-channel logical interfaces [port-channel port-channel-number]. [Optional] Use [, | -] to specify a series or range of interfaces if they were configured. This option is valid when monitoring only received traffic. Enter a space after the comma; enter a space before and after the hyphen. [Optional] Specify the direction of traffic [both, rx, or tx] to no longer monitor. If you do not specify a traffic direction, both transmit and receive are disabled. |
To remove a source or destination port from the SPAN session, use the no monitor session
To remove a source or destination port from the SPAN session, use the no monitor session session number source interface interface-id global configuration command or the no monitor session session number destination interface interface-id global configuration command. To change the encapsulation type back to the default [native], use the monitor session sessionnumber destination interface interface-id without the encapsulation keyword.
Specifying VLANs to Monitor
VLAN monitoring is similar to port monitoring. Beginning in privileged EXEC mode, follow these steps to specify VLANs to monitor:
Table 5-43: VLANs to MonitorCommand | Purpose |
no monitor session {session number | all | local | remote} | Clear any existing SPAN configuration for the session. For session number, specify 1 or 2. Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. |
monitor session sessionnumber source vlan vlan-id [, I -] rx | Specify the SPAN session and the source VLANs [monitored VLANs]. You can monitor only received [rx] traffic on VLANs. For session number, specify 1 or 2. For vlan-id, the range is 1 to 4094; do not enter leading zeros. [Optional] Use a comma [,] to specify a series of VLANs, or use a hyphen [-] to specify a range of VLANs. Enter a space after the comma; enter a space before and after the hyphen. |
monitor session sessionnumber destination interface interface-id [encapsulation {dotlq | isl}] | Specify the SPAN session and the destination port [monitoring port]. For session number, specify 1 or 2. For interface-id, specify the destination port. Valid interfaces include physical interfaces. [Optional] Specify the encapsulation header for outgoing packets. If not specified, packets are sent in native form. ■ isl—Use ISL encapsulation. ■ dotlq—Use 802.1Q encapsulation. |
To remove one or more source VLANs or destination ports from the SPAN session, use the no monitor session session_number source vlan vlan-id rx global configuration command or the no monitor session session_number destination interface interface-id global configuration command.
Specifying VLANs to Filter
Beginning in privileged EXEC mode, follow these steps to limit SPAN source traffic to specific VLANs:
Table 5-44: Limit SPAN Source TrafficCommand | Purpose |
no monitor session {session number | all | local | remote} | Clear any existing SPAN configuration for the session. For session number, specify 1 or 2. Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. |
monitor session session number source interface interface-id rx | Specify the characteristics of the source port [monitored port] and SPAN session. For session number, specify 1 or 2. For interface-id, specify the source port to monitor. The interface specified must already be configured as a trunk port. |
monitor session session number filter vlan vlan-id [, 1 -] | Limit the SPAN source traffic to specific VLANs. For session number, specify 1 or 2. For vlan-id, the range is 1 to 4094; do not enter leading zeros. [Optional] Use a comma [,] to specify a series of VLANs or use a hyphen [-] to specify a range of VLANs. Enter a space after the comma; enter a space before and after the hyphen. |
monitor session session number destination interface interface-id | Specify the characteristics of the destination port [monitoring port] and SPAN session. For session number, specify 1 or 2. For interface-id, specify the destination port. Valid interfaces include physical interfaces. |
To monitor all VLANs on the trunk port, use the no monitor session session _number filter
To monitor all VLANs on the trunk port, use the no monitor session session _number filter global configuration command.
Remote Switched Port Analyzer [RSPAN]
Switch A
Switch A
Destination Switch [Data Center]
Intermediate Switch [Distribution]
Source Switch[es] [Access]
B1 B2 B3
Destination Switch [Data Center]
Intermediate Switch [Distribution]
Source Switch[es] [Access]
B1 B2 B3
© 2002, Cisco Systems, Inc. All rights reserved
Cisco CCIE Prep v1.0—Module 5-66
RSPAN extends SPAN by enabling remote monitoring of multiple switches across your network. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. The SPAN traffic from the sources is copied onto the RSPAN VLAN through a reflector port and then forwarded over trunk ports that are carrying the RSPAN VLAN to any RSPAN destination sessions monitoring the RSPAN VLAN, as shown in the figure above.
First create an RSPAN VLAN that does not exist for the RSPAN session in any of the switches that will participate in RSPAN. With VTP enabled in the network, you can create the RSPAN VLAN in one switch, and VTP propagates it to the other switches in the VTP domain for VLAN-IDs that are lower than 1005.
Use VTP pruning to get efficient flow of RSPAN traffic, or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic.
After creating the RSPAN VLAN, begin in privileged EXEC mode, and follow these steps to start an RSPAN source session and to specify the source [monitored] ports and the destination RSPAN VLAN.
Command | Purpose |
no monitor session {session number | all | local | remote} | Clear any existing RSPAN configuration for the session. For session number, specify 1 or 2. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. |
monitor session session number source interface interface-id [, | -] [both | rx | tx] | Specify the RSPAN session and the source port [monitored port]. For session number, specify 1 or 2. For interface-id, specify the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces [port-channel port-channel-number]. [Optional] [, | -] Specify a series or range of interfaces. Enter a space after the comma; enter a space before and after the hyphen. [Optional] Specify the direction of traffic to monitor. If you do not specify a traffic direction, the source interface sends both sent and received traffic. Only received [rx] traffic can be monitored on additional source ports. ■ both—Monitor both received and sent traffic. ■ rx—Monitor received traffic. ■ tx—Monitor sent traffic. |
monitor session session number destination remote vlan vlan-id reflector-port interface | Specify the RSPAN session, the destination remote VLAN, and the reflector port. For session number, enter 1 or 2. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port. For interface, specify the interface that will flood the RSPAN traffic onto the RSPAN VLAN. |
Creating an RSPAN Destination Session Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session and to specify the source RSPAN VLAN and the destination port: Table 5-46: RSPAN VLAN | |
Command | Purpose |
monitor session session number source remote vlan vlan-id | Specify the RSPAN session and the source RSPAN VLAN. For session number, specify 1 or 2. For vlan-id, specify the source RSPAN VLAN to monitor. |
monitor session session number destination interface interface-id [encapsulation {dotlq | isl}] | Specify the RSPAN session and the destination interface. For session number, specify 1 or 2. For interface-id, specify the destination interface. [Optional] Specify the encapsulation header for outgoing packets. If not specified, packets are sent in native form. ■ isl—Use ISL encapsulation. ■ dotlq—Use 802.1Q encapsulation. |
Removing Ports from an RSPAN Session
Beginning in privileged EXEC mode, follow these steps to remove a port as an RSPAN source for a session:
Command | Purpose |
no monitor session session number source interface interface-id [, | -] [both | rx | tx] | Specify the characteristics of the RSPAN source port [monitored port] to remove. For session number, specify 1 or 2. For interface-id, specify the source port to no longer monitor. Valid interfaces include physical interfaces and port-channel logical interfaces [port-channel port-channel-number]. [Optional] Use [, | -] to specify a series or range of interfaces if they were configured. Enter a space after the comma; enter a space before and after the hyphen. [Optional] Specify the direction of traffic [both, rx, or tx] to no longer monitor. If you do not specify a traffic direction, both transmit and receive are disabled. |
Specifying VLANs to Monitor VLAN monitoring is similar to port monitoring. Beginning in privileged EXEC mode, follow these steps to specify VLANs to monitor: Table 5-47: VLANs to Monitor | |
Command | Purpose |
no monitor session {session number | all | local | remote} | Clear any existing SPAN configuration for the session. For session number, specify 1 or 2. Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. |
monitor session session number source vlan vlan-id [, | -] rx | Specify the RSPAN session and the source VLANs [monitored VLANs]. You can monitor only received [rx] traffic on VLANs. For session number, specify 1 or 2. For vlan-id, the range is 1 to 4094; do not enter leading zeros. [Optional] Use a comma [,] to specify a series of VLANs, or use a hyphen [-] to specify a range of VLANs. Enter a space after the comma; enter a space before and after the hyphen. |
monitor session session number destination remote vlan vlan-id reflector port interface | Specify the RSPAN session, the destination remote VLAN, and the reflector port. For session number, enter 1 or 2. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port. For interface, specify the interface that will flood the RSPAN traffic to the RSPAN VLAN. |
To remove one or more source VLANs from the RSPAN session, use the no monitor session
To remove one or more source VLANs from the RSPAN session, use the no monitor session session number source vlan vlan-id rx global configuration command.
Specifying VLANs to Filter
Beginning in privileged EXEC mode, follow these steps to limit RSPAN source traffic to specific VLANs:
Table 5-48: VLANs to FilterCommand | Purpose |
no monitor session {session number | all | local | remote} | Clear any existing SPAN configuration for the session. For session number, specify 1 or 2. Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. |
monitor session session number source interface interface-id rx | Specify the characteristics of the source port [monitored port] and RSPAN session. For session number, specify 1 or 2. For interface-id, specify the source port to monitor. The interface specified must already be configured as a trunk port. |
monitor session session number filter vlan vlan-id [, I -] | Limit the RSPAN source traffic to specific VLANs. For session number, specify 1 or 2. For vlan-id, the range is 1 to 4094; do not enter leading zeros. [Optional] Use a comma [,] to specify a series of VLANs or use a hyphen [-] to specify a range of VLANs. Enter a space after the comma; enter a space before and after the hyphen. |
monitor session session number destination remote vlan vlan-id reflector port interface | Specify the RSPAN session, the destination remote VLAN, and the reflector port. For session number, enter 1 or 2. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port. For interface, specify the interface that will flood the RSPAN traffic to the RSPAN VLAN. |
Switchft show monitor session 1 | |
Session 1 | |
Type: Remote Sourc | e Session |
Source Ports: | |
RX Only: | FaO/3 |
TX Only: | None |
Both: | None |
Source VLANs: | |
RX Only: | None |
TX Only: | None |
Both: | None |
Source RSPAN VLAN | None |
Destination Ports | None |
Encapsulation: Native | |
Reflector Port : | FaO/4 |
Filter VLANs: | None |
Dest RSPAN VLAN: | 901 |
© 2002, CiscoSystems, Inc. All rights reserved.
Cisco CCIE Prep v1.0—ModuleS-67
To display the status of the current SPAN or RSPAN configuration, use the show monitor privileged EXEC command.
Continue reading here: Fallback Bridging
Was this article helpful?