Switched Port Analyzer (SPAN), sometimes called port mirroring or port monitoring, copies switch network traffic and forwards it out the SPAN port for analysis by a network analyzer. By enabling the SPAN, you can monitor traffic on a switch port by forwarding incoming and outgoing traffic to another port for data collection and analysis. You can use a network analyzer on this monitor port to troubleshoot network problems by examining traffic on other ports or segments without taking the network out of service.
Suppose, for instance, that you want to examine traffic flowing in and out of a port, or within a virtual local-area network (VLAN). In a shared network, such as Ethernet, you would attach a network analyzer to an available port on the hub and your analyzer would listen to all traffic on the segment, as illustrated in Figure 11-12.
The analyzer decodes the frames and provides you with an analysis of the frame contents, such as the packets and other higher-layer protocol information.
In a switched network, however, this is not as simple as in a shared network. In a switched network, the switch filters frames from transmitting out a port unless the bridge/switch table believes the frame's destination is on that port, or the frame needs to be flooded, such as during a spanning-tree update. This is not going to work for you because you want to see all the switch traffic, from all the VLANs. The SPAN switch feature enables you to attach an analyzer on a switch port and capture traffic from other ports in the switch, as illustrated in Figure 11-13.
The SPAN port mirrors traffic from one or more source interfaces on any VLAN, or from one or more VLANs to a destination port for analysis. The network analyzer attaches to the SPAN port and examines the traffic as it passes through the switch. The network analyzer enables you to dig into the details of your network traffic. For SPAN configuration, the source interfaces and the destination interface must be on the same switch.
SPAN does not affect the switching of network traffic on source interfaces; copies of the frames received or transmitted by the source interfaces are sent to the destination interface.