Classification and Configuration of SPAN Data Stream

- Aug 12, 2019-

VLAN-based switch port analyzer takes one or more VLAN as monitoring object. All ports are source ports. Like port-based SPAN, VLAN-based SPAN can be divided into three types: input data stream, output data stream and bidirectional data stream monitoring. As follows:

(1) IngressSPAN (IngressSPAN): A data stream received by the source port and sent a copy of its data to the monitoring port;

(2) Output Data Stream (EgressSPAN): refers to the data stream sent from the source port and its data copy sent to the monitoring port;

(3) Two-way Data Flow (BothSPAN): that is the combination of the above two.

In the process of configuring SPAN tasks based on VLAN, we should pay attention to several points:

(1) Trunk ports can be included in source ports;

(2) For bidirectional SPAN tasks, if there is data exchange between two source ports in the source VLAN, two copies of each packet will be forwarded to the mirror port.

(3) For SPAN tasks with multiple source VLANs, if a source VLAN is deleted, the VLAN will also be deleted from the list of source VLANs.

(4) VLAN in inactive state can not participate in SPAN task;

(5) For a source VLAN set to monitor input data flow, routing information packets from other VLANs will not be mirrored; in addition, routing information packets sent from VLAN set to monitor output data flow to other VLANs will also not be mirrored. In other words, the VLAN-based SPAN task mirrors only the packets coming in and out of the Layer 2 switching port, not the routing information between VLANs. All non-routing packets transmitted between networks, including multicast packets and BPDU (Bridge Protocol Data Unit) packets, can be mirrored using SPAN tasks.

Under the configuration of some tasks, the switch port analyzer will send multiple copies of the same SPAN source port packet to the SPAN monitoring port. As mentioned earlier, in a bidirectional SPAN task, assuming A1 and A2 are source ports and D1 are destination ports, if there is a data packet transmission between A1 and a2, the data packets from A1 to A2 will be transmitted to D1 twice, and vice versa.

