If there is a problem in the local network, network administrators often need access to the entire data stream for troubleshooting. But this access option is also required for ongoing monitoring by IDS/IPS systems or for VoIP voice recordings – in switched infrastructures in the form of SPAN or TAP. Both variants have their advantages and disadvantages.
SPAN – also called port mirroring – is a feature in a managed switch. Depending on the switch platform, a physical port, a port group or a VLAN (Virtual LAN) can be defined as the data source. Network administrators decide whether to record the packets in the send or receive direction (TX or RX) – or in both at the same time. Physical ports or, in the case of remote SPAN, special SPAN VLANs can be defined as the destination. The traffic can also be forwarded to a monitoring station or to another switch. The number of possible SPAN ports varies depending on the switch type.
A special feature is Encapsulated Remote SPAN (ERSPAN): Here the traffic is packed in a GRE header (Generic Routing Encapsulation) at the source and unpacked at the monitoring station or at the last hop. This way you can remotely examine traffic even across routing boundaries.
