vQuicky – For the impatient like me 😉

>vSphere 5.1 enhancements include support SPAN and RSPAN for network monitoring and analysis

> SPAN is a feature that allows you to mirror a target port to analyze traffic. It stands for Switch Port Analyzer

> In SPAN, you have a source port that is mirrored to a destination port. A single source SPAN port can be mirrored to multiple destination ports but it won’t work vice-versa

> In a SPAN session, both the source SPAN port and the destination SPAN port are on the same physical switch.

> For multiple switch analysis, RSPAN is used. It stands for Remote SPAN.

> RSPAN works exactly as SPAN however all the source SPAN port traffic is flooded in a special RSPAN VLAN. A port on this vlan can be used to analyze traffic.

> For WAN traffic analysis, ERSPAN is used which stands for Encapsulated Remote Switch Port Analyzer.

> ERSPAN is for routable traffic which spans over WAN.

> ERSPAN uses a ERSPAN source session, a routable ERSPAN GRE-Encapsulated traffic and a ERSPAN destination session. The source and destination sessions live on different switches across networks.

> Remember to enable promiscuous mode to pick up traffic.


While going through whats new in vSphere 5.1, it is clear that they talk about ESXi 5.1 supporting network monitoring and troubleshooting features – SPAN and RSPAN. For as long as I have been in IT, I did not have a clear understanding of what these are so here goes.

SPAN – SPAN stands for Switch Port Analyzer. Think of this as port mirroring where you have a span port that mirrors all traffic going in and out of the mirrored port. The mirroring span port or destination span port is where you attach your traffic analyzer to check on the traffic that is nothing but a mirror of the source or mirrored span port. Traffic analyzer can be any thing such as wireshark for instance. The source port being monitored can be a switched or a routed port that is subjected to network analysis. You can also monitor bi-directional traffic or just sent or received traffic.

From my reading, a source port can be a anything such as a ether channel, fast ethernet, gigabit ethernet etc. A source port can also be monitored by multiple span sessions. As for the destination port, for a SPAN session, they should reside on the same switch and one destination port can participate in one span session only. So that means, it can only mirror traffic of one source span port. It cannot also self mirror – as in it cannot be the source port and the port cannot be a ether channel group either.

RSPAN – RSPAN stands for Remote SPAN. Now from above, it is easy enough to mirror a port on the same physical switch to sniff traffic but what if traffic is traversing across another switch or over the network? RSPAN allows you to monitor traffic all over your network. It is similar to SPAN in functionality but the only difference is that traffic is that mirrored traffic is flooded in the special RSPAN VLAN. Now you can hook up to any destination port that is part of this RSPAN VLAN and pick up traffic. SPAN and RSPAN work only at Layer 2 or LAN.

ERSPAN – ERSPAN stands for Encapsulated Remote Switch Port Analyzer. To be able to analyze traffic over WAN, use the ERSPAN feature. The way this works is that ERSPAN has a ERSPAN Source session, routable ERSPAN GRE-Encapsulated traffic and a ERSPAN destination session. For this to work you separately configure ERSPAN source and destination sessions on different switches.

Please comment or correct me if needed 🙂

More reading –

ESXi White paper –


  1. Pawandeep Singh on July 22, 2016 at 4:25 am said:

    Thanks mate, short precise and clear!!

Leave a Reply

Your email address will not be published.

Post Navigation