Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A switch feature (Cisco's Switched Port Analyzer) that mirrors traffic from source ports or VLANs to a monitor port feeding an IDS, sniffer, or packet capture.
SPAN Definition: A switch feature (Cisco's Switched Port Analyzer) that mirrors traffic from source ports or VLANs to a monitor port feeding an IDS, sniffer, or packet capture.
SPAN (Switched Port Analyzer) is a network switch feature that copies traffic from one or more source ports or VLANs and forwards those copies to a designated monitor (destination) port. It lets analysts, IDS/IPS sensors, and packet-capture tools observe traffic passively without disrupting production flows. SPAN is Cisco's term; the generic concept is port mirroring.
A switch normally forwards frames only to the port toward their destination, so a passive sniffer attached anywhere sees little. SPAN solves this by duplicating selected frames in hardware to the monitor port. Local SPAN keeps source and destination on one switch; RSPAN carries mirrored traffic across switches over a dedicated VLAN; ERSPAN encapsulates it in GRE to send copies across a routed Layer 3 network to a remote analyzer.
SPAN matters because most detection and forensics depend on visibility. IDS/IPS, NDR platforms, DLP, and full packet capture rely on a feed of real traffic; SPAN provides it without inline failure risk. Its limits are also security-relevant: a monitor port can be oversubscribed and drop packets under load, mirrored copies may omit errored frames, and an attacker with switch access could redirect a SPAN session to exfiltrate sensitive traffic, so SPAN configuration should be tightly controlled and audited.
For example, a SOC monitoring a data-center segment configures the switch with `monitor session 1 source vlan 100` and `monitor session 1 destination interface Gi1/0/24`, then connects a Zeek or Snort sensor to Gi1/0/24. The sensor receives a copy of all VLAN 100 traffic and raises alerts on suspicious activity, while the original packets continue flowing unaffected to their real destinations.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →