Join Telegram Study Group ▷
Switched Port Analyzer (SPAN)
In simple words Switched Port Analyzer otherwise known as SPAN technology enables port mirroring on the certain selected switch. In certain cases, you would be needed some kind of server, PC or other network devices so as to receives a copy of network traffic that would be designated for some other device in the network. If you wish to gain practical knowledge, you could have it through courses offered by the SPOTO.
Why would you want that?
Maybe you would need some kind of control of the traffic or you just want to implement Intrusion Detection System (IDS) or something else. In that case, you could also configure each and every Cisco switch to send a copy of the traffic to one of the ports that would be connected to the sensor device.
Don’t get confused, the sensor device is mentioned here for the first time. The sensor device is a device that has the ability for analyzing the received traffic using some kind of software. It could be used to generate logs of network status or for giving you alerts when there are changes in the status of the traffic. In certain cases, you could also implement as well as configure appliances that could make some changes to the network configuration which would be depending on the analysis of the network traffic as well as in this way automate a piece of network control.
A way to be able to do all this is to configure a port on a Cisco Catalyst switch for the Switched Port Analyzer (SPAN) feature. SPAN allows a copy of traffic destined for another port to be sent out the SPAN port, and like this allowing an attached IDS sensor so as to receive a copy of the traffic.
We would be seeing about how to configure simple SPAN functionality. In this way, the SPAN port that we would be configuring resides on the same switch as the destination port. However, Cisco switches would be also supporting the Remote SPAN, RSPAN function, which would be enabling us to configure a SPAN port on a different switch.
Different Types of SPAN:
Local SPAN:
Mirrors traffic from one or more interface on the switch to one or more interfaces on the same switch would be considered as the Local SPAN.
Remote SPAN (RSPAN):
An extension of SPAN would be known as remote SPAN or RSPAN. RSPAN would be allowing the candidates to monitor traffic from source ports distributed over multiple switches, which means that you could centralize your network capture devices. RSPAN would be working by mirroring the traffic from the source ports of an RSPAN session onto a VLAN that would be dedicated for the RSPAN session. This VLAN is then trucked to other switches, allowing the RSPAN session traffic to be transported across multiple switches. On the switch that contains the destination port for the session, traffic from the RSPAN session VLAN is simply mirrored out the destination port.
Encapsulated Remote SPAN (ERSPAN):
Encapsulated Remote SPAN is otherwise known as (ERSPAN), as the name says, would be bringing generic routing encapsulation (GRE) for all captured traffic as well as allows it to be extended across Layer 3 domains. ERSPAN is considered to be a Cisco proprietary feature as well as would be available only to Catalyst 6500, 7600, Nexus, and ASR 1000 platforms to date. The ASR 1000 supports ERSPAN source only on Gigabit Ethernet, Fast Ethernet, and port-channel interfaces.
SPAN ports have many benefits including:
• Two SPAN ports would be available on all Cisco switches.
• Gaining visibility into what is happening on the LAN and WAN
• Accessing to packet payloads which can be used for application decoding
• More granular data for troubleshooting network.
So, if you are pursuing Cisco Certification and if you wish to have more knowledge about SPAN, you could gain it through the prep courses offered at SPOTO. what's more, you can join our WhatsApp Studygroup
