SPAN = Switch Port ANalyzer
RSPAN = Remote SPAN
- The source can either be one or more interfaces OR a VLAN, but cannot be a mixture of both in the same session.
- Up to 64 SPAN destination ports can be configured in a single switch.
- Switched or Routed ports can be configured as source or destination ports
- Within a single SPAN session, you cannot deliver traffic to a destination port when it’s sourced by a mix of SPAN and RSPAN source ports.
- A SPAN destination port cannot be a source port and vice versa.
- Only 1 SPAN/RSPAN session can send traffic to a single destination port.
- A SPAN destination port ceases to act as a normal switchport
- It’s possible to configure a trunk port as the source. All the VLAN’s will be monitored. To filter the monitored VLANs, use the “filter vlan” command
- Traffic that is routed from another vlan to a source vlan on the same switch, cannot be monitored (I read this as, if the switch is routing between vlans, you won’t see the traffic between them)
- Only received traffic is forwarded to the destination port
- Bypasses any ACL / QoS / Policing, etc policies. This is because the SPAN is only mirroring what the port receives. ACL’s, etc does not change what is received.
- Only transmitted traffic is forwarded to the destination port
- INCLUDES any filtering with ACL / QoS / Policing, etc. This is because the switch is only transmitting what it should, which is what is being mirrored.
NOTE SPAN / RSPAN usually ignores certain layer 2 frames like CDP, BDPU, VTP, DTP, and PagP frames. To include those frames in the session, use the “encapsulation replicate” command.