The Switched Port Analyzer (SPAN) feature, which is sometimes called port mirroring or port monitoring, is a method wherein a device sends a copy of all network packets seen on one port (or an entire VLAN) to another port. This allows the copied network to be analyzed for monitoring, troubleshooting, and other purposes. Figure 6-9 illustrates some of the key terms used in a SPAN implementation.
Figure 6-9 SPAN Switch Port
Ingress traffic: Traffic that enters the switch.
Egress traffic: Traffic that leaves the switch.
Source (SPAN) port: A port that is monitored with use of the SPAN feature.
Source (SPAN) VLAN: A VLAN whose traffic is monitored with use of the SPAN feature.
Destination (SPAN) port: A port that monitors source ports, usually where a network analyzer is connected.
SPAN ports monitor all traffic for a source port, which sends a copy of the traffic to a destination port. The network analyzer, which is attached with a destination port, analyzes the traffic that passes through the source port.
The source port can be a single port or multiple ports or a VLAN, which is also called a monitored port. You can monitor all the packets for a source port that is received (ingress), transmitted (egress), or bidirectional (both). A replication of the packets is sent to the destination port for analysis.
For VLAN-based SPAN (VSPAN), all ports in the VLAN are source ports. So, the traffic in the VLAN is monitored. You can apply a VLAN-based filter on the trunk port of the switch to limit the SPAN traffic monitor.
The destination port is one that was connected to a device such as a SwitchProbe device or other Remote Network Monitoring (RMON) probe or security device that can receive and analyze the copied packets from a single or from multiple source ports.
A switch supports multiple SPAN sessions (up to 48 sessions), but only two sessions can be run simultaneously, and others are shut down. A port of the switch is configured as either the source port or the destination port.