Let’s imagine the topology where we have their client and server and they exchanging traffic back and forth
If we trying to do maybe some troubleshooting, something going on between client and server. We want to do packet capture and analyses the packet going back and forth. What if we connected to Sniffer to the switch?
And we turned on packet sniffing software like “Wireshark”, and we trying to sniff the packet going back and forth between client and server. Unfortunately it is not gonna work is it because the switch is doing his job of only forwarding frames where they need to go and according to mac address table inside the switch those frames do not need to go down to our sniffer.
Fortunately cisco give us feature called “SPAN (Switched Port Analyzer)”
With span enable we can tell the switch port that we want to make a copy of traffic going out or coming into switchport. We waana make a copy of that traffic, and then send that copy out of this, other port this SPAN destination port, That’s were we doing here. Server is sending traffic and, we monitoring the port to which the client is connected. We are saying we want to get copy of traffic going out or coming into that port to which the client is connected, and we want to send that copy down to our sniffer
In addition to doing that, there is another option, were we can monitor a vlan. We can see traffic appearing on all ports of vlan, and send all of that traffic out of our sniffer, that’s the basic theory of How SPAN Function work
Setting up Local SPAN
We have a client and server attached to Switch Sw1, and they sending information back and forth between themselves. However our “sniffer” (The Laptop running network analyzer software) is on Switch Sw2. How we had a copy of that traffic over Sw2?
Cisco gives us solution is called RSPAN (Remote Switched Port Analyzer). If we have a trunk between these two switches. In this case one on the vlans that we want to carry across that trunk between our switches, is a vlan that carrying this SPAN information.
Here we setup a span session on each switch. On switch SW1 we can say that the span source, is port to which the client is attached, and span destination is a vlan, specifically we gonna called a remote vlan, and when we send a copy of traffic appearing on the clients port over to this vlan, that vlan traffic goes across the trunk and appearing on Switch SW2, then on Switch SW2, we setup span session there , and we say that the source of span session is this remote vlan, and the destination is the port attached to the sniffer, in once we do that. Now traffic appearing on the clients port is gonna be copied and sent to this vlan , that we designated as a remote vlan, and we just gonna flow over the trunk, it’s going to appear on SW2, where we have another span session that says traffic appearing on this remote vlan send copy out this port attached to a sniffer.