SWITCH PORT ANALYZER | SPAN | RSPAN

 The main purpose of this SPAN technology is to see the traffic on the other port without connecting your PC to that port as a Network Admin you need to keep an eye if anything thing suspicious happens on that particular port or ports and also for troubleshooting purposes.

SPAN and RSPAN

• SPAN is also referred to as a Port-Mirroring
• Copy Packets are sent to a traffic-Analyzer
• Analyzer Aggregates and sends data in a Visual Manager
• Source means the ports that are getting monitored
• The monitor can both transmit and receive
• Transmit (Tx) | Receive (Rx)
• Monitored traffic source can be a VLAN
• It can reside on separate VLANNote: Source and Destination cannot be on the same port.

There are basically 3 types of SPAN:-

1. Local SPAN (SPAN)
2. Remote SPAN (RSPAN)
3. Encapsulated Remote SPAN (ERSPAN) -- Cisco Proprietary

1. Local SPAN

Here traffic is captured and mirrored locally i.e.; on the same switch

Configuration of Local SPAN

Sw-1>enable

Sw-1#conf t

Sw-1(config)#monitor session 1 source interface <monitored-device-port-no>

Sw-1(config)#monitor session 1 destination interface <Analyzer-server-port-no>

Sw-1(config)#end

2. Remote SPAN

It can Monitor multiple remote switches, where traffic is copied to the central traffic analyzer.

Configuration of Remote SPAN

Sw-1>enable

Sw-1#conf t

Sw-1(config)#monitor session 2 source vlan 200

Sw-1(config)#monitor session 2 destination interface Gi0/3

Sw-1(config)#end

Sw-2>enable

Sw-2#conf t

Sw-2(config)#monitor session 2 source interface Gi0/0 - 1

Sw-2(config)#monitor session 2 destination remote vlan 200

Sw-2(config)#end

3. Encapsulated Remote SPAN (ERSPAN)

It's a Cisco Proprietary technology that ensures that the traffic carried over a trunk is encapsulated using generic routing encapsulation such that if someone tries to capture the traffic passing through the trunk they aren't able to spy on it because the packets are encapsulated in (GRE-Generic Routing encapsulation).

Best Practices:

• Use Dedicated Hardware: When possible, employ dedicated hardware designed for network monitoring tasks to avoid potential performance impacts on production switches.

• Minimize Latency: Ensure that the path between source and destination ports is optimized to reduce latency, which can affect the accuracy of monitoring.

• Monitor Resource Utilization: Regularly check the switch's CPU and memory usage to prevent performance degradation due to SPAN operations.
  
  By understanding and properly configuring SPAN, network administrators can effectively monitor and analyze network traffic, aiding in troubleshooting, performance optimization, and security analysis.