📘CCNP Encore (350-401-ENCORE-v1.1)
1. Why SPAN Is Important in Enterprise Networks
In an enterprise network, administrators often need to see the actual traffic flowing through a switch to:
- Troubleshoot network problems
- Detect security threats
- Analyze performance issues
- Capture packets for tools like Wireshark, IDS, IPS, or network analyzers
Switches normally do not forward traffic to monitoring devices, because traffic is only sent to its intended destination.
To solve this, Cisco uses SPAN technologies.
SPAN = Switched Port Analyzer
SPAN allows a switch to copy traffic from one or more ports or VLANs and send that copied traffic to a monitoring port or remote device.
2. What Is SPAN (Local SPAN)
Definition
SPAN (Local SPAN) is used to monitor traffic on the same switch.
The switch:
- Copies traffic from selected source ports or VLANs
- Sends the copy to a destination (monitor) port
- The destination port connects to a monitoring device
Key Characteristics
- Source and destination are on the same switch
- Traffic is copied, not redirected
- Original traffic flow is not affected
- Destination port is receive-only
3. SPAN Traffic Sources
SPAN can monitor traffic from:
1. Source Interfaces
- Physical ports (e.g., GigabitEthernet0/1)
- Port channels (EtherChannel)
2. Source VLANs
- All traffic entering and leaving a VLAN
Traffic Direction Options
You can choose:
- Ingress (incoming traffic)
- Egress (outgoing traffic)
- Both (default)
4. SPAN Destination Port Behavior (Exam Critical)
The destination port has special rules:
- Does not send traffic
- Does not learn MAC addresses
- Does not participate in STP
- Does not support normal switching
- Cannot be used for normal network traffic
If the switch reloads, SPAN configuration may be lost unless saved.
5. Basic SPAN Configuration (Conceptual)
Steps to Configure SPAN
- Define the SPAN session
- Choose source interface or VLAN
- Choose destination interface
Example (for understanding)
monitor session 1 source interface gi0/1
monitor session 1 destination interface gi0/24
This copies traffic from gi0/1 to gi0/24.
6. Limitations of Local SPAN
Local SPAN cannot be used when:
- The monitoring device is on another switch
- Traffic must cross the network
- You need centralized monitoring from a remote location
To solve these problems, Cisco provides RSPAN and ERSPAN.
7. What Is RSPAN (Remote SPAN)
Definition
RSPAN allows traffic monitoring across multiple switches using a special VLAN.
Instead of sending traffic to a local port:
- Traffic is copied into an RSPAN VLAN
- That VLAN is carried across trunk links
- Another switch receives the traffic
- The destination port is on a remote switch
8. How RSPAN Works (Step-by-Step)
- Create an RSPAN VLAN
- Mark the VLAN as
remote-span - Allow the RSPAN VLAN on trunk links
- Configure:
- Source SPAN session on source switch
- Destination SPAN session on remote switch
9. RSPAN VLAN Characteristics (Exam Focus)
An RSPAN VLAN:
- Is dedicated only for SPAN traffic
- Cannot carry normal user traffic
- Must be allowed on trunk ports
- Is marked with
remote-span - Does not learn MAC addresses
Example RSPAN VLAN
vlan 999
remote-span
10. RSPAN Source and Destination
Source Switch
- Monitors interfaces or VLANs
- Sends copied traffic into RSPAN VLAN
Destination Switch
- Receives traffic from RSPAN VLAN
- Forwards it to destination monitoring port
11. RSPAN Limitations
RSPAN has several drawbacks:
- Traffic is sent in clear text
- Uses VLANs, which may consume bandwidth
- Cannot cross Layer 3 networks
- Must be in the same Layer 2 domain
To overcome these limitations, Cisco uses ERSPAN.
12. What Is ERSPAN (Encapsulated Remote SPAN)
Definition
ERSPAN sends mirrored traffic over an IP network using GRE encapsulation.
Unlike SPAN and RSPAN:
- ERSPAN works across Layer 3 networks
- No special VLAN is required
- Monitoring device can be anywhere with IP reachability
13. How ERSPAN Works
- Source switch captures traffic
- Traffic is encapsulated using GRE
- GRE packets are sent to a destination IP address
- Monitoring system decapsulates and analyzes traffic
14. ERSPAN Versions (Exam Knowledge)
ERSPAN Type II
- Original implementation
- Limited metadata
- Less flexible
ERSPAN Type III (Most Important for Exam)
- Enhanced metadata
- Supports timestamps
- Supports truncation
- Better analysis and monitoring
CCNP ENCOR expects knowledge of ERSPAN Type III
15. ERSPAN Requirements
To use ERSPAN:
- Devices must support ERSPAN
- IP connectivity between source and destination
- GRE encapsulation must be allowed
- Monitoring system must support ERSPAN
16. ERSPAN Configuration Overview (Conceptual)
Key components:
- Source interface or VLAN
- Destination IP address
- ERSPAN session ID
- ERSPAN type (II or III)
Example:
monitor session 10 type erspan-source
source interface gi0/1
destination ip 192.168.1.100
erspan-id 100
17. Comparing SPAN, RSPAN, and ERSPAN (Very Important)
| Feature | SPAN | RSPAN | ERSPAN |
|---|---|---|---|
| Same switch | Yes | No | No |
| Layer 2 only | Yes | Yes | No |
| Uses VLAN | No | Yes | No |
| Uses IP/GRE | No | No | Yes |
| Cross Layer 3 | No | No | Yes |
| Best use case | Local monitoring | Campus monitoring | Enterprise / data center |
18. Common Exam Scenarios
You may be asked:
- Which SPAN type works across Layer 3? → ERSPAN
- Which SPAN uses a special VLAN? → RSPAN
- Which SPAN works only on the same switch? → SPAN
- Which protocol does ERSPAN use? → GRE
- Can RSPAN cross routed networks? → No
19. Verification and Troubleshooting Commands
Verify SPAN Sessions
show monitor session all
Check RSPAN VLAN
show vlan remote-span
Check ERSPAN Configuration
show monitor session
20. Key Exam Takeaways
✔ SPAN mirrors traffic on the same switch
✔ RSPAN mirrors traffic using a special VLAN across switches
✔ ERSPAN mirrors traffic using GRE over IP networks
✔ Destination ports are receive-only
✔ ERSPAN is the most scalable and flexible option
21. Final Summary (Simple Words)
SPAN technologies allow network administrators to see traffic without interrupting it.
- SPAN → same switch
- RSPAN → different switches, same Layer 2 network
- ERSPAN → anywhere over an IP network
Understanding when to use each type is critical for both real enterprise networks and the CCNP ENCOR exam.
