SPAN – Switched Port Analyzer technology and configuration

In simple words SPAN technology enables port mirroring on selected switch.

In some cases you will need that some kind of server, PC or other network device receives a copy of network traffic that is destinated for some other device in the network. Why would you want that? Maybe you need some kind of control of the traffic or you want to implement IDS – Intrusion Detection System or something else. In that case you can configure every Cisco switch to send a copy of the traffic to one of the ports that is connected to sensor device.

Don’t be confused, sensor device is mentioned for the first time here. Sensor device is a device that has the ability to analyze the received traffic using some kind of software. It can be used to generate logs of network status or to give you alerts when status of the traffic changes. In some cases you can also implement and configure appliances that can make some changes to the network configuration depending of the analyze of the network traffic and in this way automate a piece of network control.

A way to be able to do all this is to configure a port on a Cisco Catalyst switch for the Switched Port Analyzer (SPAN) feature. SPAN allows a copy of traffic destined for another port to be sent out the SPAN port, and in this way allowing an attached IDS sensor to receive a copy of the traffic.

SPAN - switch port duplicating

We will see now to configure simple SPAN functionality. In this way the SPAN port that we will configure resides on the same switch as the destination port. However, Cisco switches also support the Remote SPAN – RSPAN function, which will enable us to configure a SPAN port on a different switch.

SPAN config for Cisco

Switch1(config)# monitor session 1 source interface gigabitethernet0/2 
Switch1(config)# monitor session 1 destination interface gigabitethernet0/3 
Switch1(config)# end

Leave a Reply