What is SPAN?

SPAN stands for switchport analyzer .it is also called port mirroring. To analyze network traffic passing through the port by using span.

How do SPAN works?

It will send a copy of the traffic to another port on the switch. Span monitors received or sent (both) traffic on one or more source ports to a destination port for analysis. Only traffic that is entered or leaves source ports can be monitored.

How many types of SPAN are present?

There are mainly two types of span

  • Local Span – sources and destination ports are present on the same switch that is called span.
  • Rspan (Remote span)-source and destination ports are present in the different switches that are called rspan.

The characteristics are given below.

  • Source characteristics
  • Destination characteristics

Source characteristics

It can be any port type (Giga ethernet, fast ethernet, EtherChannel).it can’t be a destination port. Each source port can be configured with a direction (like egress, ingress, or both). EtherChannel source, the monitored direction would apply to all the physical ports in the group. Source port may be different or in the same VLAN. We can configure a trunk port as a source port, all VLANs active on the trunk are monitored.

Destination characteristics

It can be any Ethernet physical port. It cannot be a source port. It cannot be an EtherChannel group or a VLAN. It can be a physical port that is assigned to an EtherChannel group, the port will be removed from the group while it is configured as a span destination port. That port does not transmit any traffic except that required for span session. When it is a destination port, it doesn’t participate in any of the layer2 protocols (like:-vtp, cdp, dtp , stp, pagp, lacp).

No address learning occurs on the destination port.

Local SPAN

If the source and destination port is present on a single switch that is called local span.

There are two types of local span

  • Local span for a single source port-when I configure local span with a single source that is called single source port.
  • Local span for the source as multiple port-when we configure local span with multiple source ports that are called multiple.

Configure local span for a single source port

Sw1(config)#moniter session 1 source interface <fast Ethernet 0/1> both

Sw1(config)#moniter session 1 destination interface <fastethernet 0/5>

Verification command

Sw1#show interface fast ethernet 0/1

  • Line protocol is down (monitoring)

Sw1# show interface status

  • Fastethernet0/5 monitoring

Now let’s check it is working or not

R1#ping repeat 50

Sw1#show interface fastethernat 0/5

Packer output that is received

Configure local span for a multiple source port

Sw1(config)#monitor session 10 source interface fastethernet 0/1-4 both

Sw1(config)#monitor session 10 destination interface fastethernet 0/5

Sw1#show monitor session 10

Note:- we can also configure local span single or multiple source ports with VLAN.

Rspan/remote span

  • Source and destination ports are on different switches in that scenario we use rspan.

Configure Remote span

Sw1(config)#vlan 100


Sw1(config)#moniter session 1 source interface fastethernet 0/1 both

Sw1(config)#moniter session 1 destination remote  vlan 100

Sw2(config)#vlan 100


Sw2(config)#moniter session 1 source remote VLAN 100

Sw2(config)#moniter session 1 destination interface fastethernet 0/5

Note:-remote VLAN must not be pruned.

We, Zindagi technologies is an IT Consulting firm that implements data center, security planning of architecture of the network, etc. We have years of combined experience in this field and have resources that have proven their abilities in every project. Being the top IT consulting company, we give managed IT service, cloud solutions, cloud security, cyber security, and everything that is needed by your organization to become safe from threats. Give us a call at +919773973971 or or you can visit us too.

Anuj Kumar
Associate Consultant

Leave a comment