Table of Contents
Configuring SPAN
This chapter describes how to configure the Switched Port Analyzer (SPAN) on the Catalyst enterprise LAN switches.
 |
Note For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference publication for your switch. |
This chapter consists of these sections:
SPAN selects network traffic for analysis by a Catalyst 5000 family Network Analysis Module, a SwitchProbe device, or other RMON probe. SPAN mirrors traffic from one or more source ports (Ethernet, Fast Ethernet, Token Ring, or FDDI) on any VLAN to a destination port for analysis (see Figure 27-1).
Figure 27-1: Example SPAN Configuration
In Figure 27-1, all traffic on Ethernet port 5 (the source port) is mirrored to Ethernet port 10. A network analyzer on Ethernet port 10 receives all network traffic from Ethernet port 5 without being physically attached to it.
Follow these guidelines when configuring SPAN:
- If the SPAN destination port is a Token Ring port, then the source port must be a single Token Ring port.
- In software releases prior to 4.2, if the SPAN destination port is connected to another device, the port always receives incoming packets for the VLAN it is assigned to but does not participate in spanning tree for that VLAN. To avoid creating spanning-tree loops, assign the SPAN destination port to an unused VLAN.
- In software release 4.2 and later, incoming traffic on the SPAN destination port is disabled by default. You can enable it using the inpkts enable keywords. However, while the port receives traffic for its assigned VLAN, it does not participate in spanning tree for that VLAN. To avoid creating spanning-tree loops with incoming traffic enabled, assign the SPAN destination port to an unused VLAN.
- You cannot disable the reception of incoming packets on the destination SPAN port (using the inpkts disable keywords) on Token Ring SPAN destination ports.
- In software release 5.2 and later, with the inpkts option enabled, you can prevent the switch from learning source MAC addresses from traffic received on the SPAN destination port using the learning disable keywords. If you want the switch to learn source MAC addresses from traffic received on the SPAN destination port, use the learning enable keywords. By default, the switch learns source MAC addresses from incoming traffic (learning enable) if the inpkts option is enabled. The source MAC address learning options only affect traffic received from a device attached to the SPAN destination port itself, not from traffic mirrored from the SPAN source.
- On the Catalyst 5000 family Gigabit EtherChannel switching module (WS-X5410), both the source and destination SPAN ports must be on the same module.
- When monitoring a VLAN on the Catalyst 5000 family Gigabit EtherChannel switching module (WS-X5410), you must monitor both transmit and receive traffic (both). You cannot monitor only transmit (tx) or only receive (rx) traffic.
- Any traffic between two network nodes on the same network segment attached to a switch port configured as a SPAN source port is not mirrored to the SPAN destination port; only traffic that is switched is mirrored to the SPAN destination port.
- Multiple SPAN sessions can run at the same time, independent of VLAN membership. One ingress session (rx or both directions) and four egress sessions (tx) can coexist.
- You can configure up to four VLAN-only SPAN sessions on any port capable of trunking.
- Any interaction between two endstations on a shared segment that is attached to a Token Ring switch port configured as a SPAN source port will not be monitored at the destination SPAN port.
- For proper operation, the Token Ring module SPAN feature requires that the supervisor engine module be running software Release 4.5(1) and later.
- If you are running a supervisor engine module software release prior to Release 4.5(1), configure only a single Token Ring source port to be monitored. In supervisor engine module software Release 4.5(1) and later, a single source port is the standard Token Ring SPAN configuration.
- For the Catalyst 5000 Family Token Ring module SPAN feature to function reliably in Token Ring software releases prior to Release 3.3(1), the SPAN port and the port being monitored must be located on the same Token Ring module, and the final destination for traffic received by the source port should be a port on the same Token Ring module.
To configure SPAN, perform this task in privileged mode:
| Task
| Command
|
|---|
Step1
| Configure a SPAN source and a SPAN destination port.
| set span {src_mod/src_ports | src_vlan | sc0} dest_mod/dest_port [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [create]
|
Step2
| Verify the SPAN configuration.
| show span
|
 |
Caution If the SPAN destination port is connected to another device and reception of incoming packets is enabled (using the inpkts enable keywords), the SPAN destination port receives traffic for the VLAN that the SPAN destination port belongs to. However, the SPAN destination port does not participate in spanning tree for that VLAN, so avoid creating network loops with the SPAN destination port. The inpkts keyword is available in supervisor engine software release 4.2 and later. In earlier releases, incoming packets are always received on the SPAN destination port. To avoid creating spanning-tree loops, assign the SPAN destination port to an unused VLAN. |
This example shows how to configure SPAN so that both transmit and receive traffic from port 1/1 (the SPAN source) is mirrored on port 2/1 (the SPAN destination):
Console> (enable) set span 1/1 2/1
Enabled monitoring of Port 1/1 transmit/receive traffic by Port 2/1
Console> (enable) show span
Destination : Port 2/1
Admin Source : Port 1/1
Oper Source : Port 1/1
Direction : transmit/receive
Incoming Packets: disabled
This example shows how to set VLAN 522 as the SPAN source and port 2/1 as the SPAN destination:
Console> (enable) set span 522 2/1
Enabled monitoring of VLAN 522 transmit/receive traffic by Port 2/1
Console> (enable) show span
Destination : Port 2/1
Admin Source : VLAN 522
Oper Source : Port 3/1-2
Direction : transmit/receive
Incoming Packets: disabled
Console> (enable)
This example shows how to set VLAN 522 as the SPAN source and port 2/12 as the SPAN destination. Only transmit traffic is monitored. Normal incoming packets on the SPAN destination port are allowed.
Console> (enable) set span 522 2/12 tx inpkts enable
SPAN destination port incoming packets enabled.
Enabled monitoring of VLAN 522 transmit traffic by Port 2/12
Console> (enable) show span
Destination : Port 2/12
Admin Source : VLAN 522
Oper Source : Port 2/1-2
Direction : transmit
Incoming Packets: enabled
Console> (enable)
This example shows how to set multiple SPAN sessions using the following:
- Port 3/1 as the SPAN source and port 2/1 as the SPAN destination
- Port 3/2 as the SPAN source and port 2/2 as the SPAN destination
Console> (enable) set span 3/1 2/1
Enabled monitoring of port 3/1 transmit/receive traffic by Port 2/1
Console> (enable) set span 3/2 2/2 tx create
Enabled monitoring of port 3/2 transmit traffic by Port 2/1
Console> (enable) show span
Destination : Port 2/1
Admin Source : port 3/1
Oper Source : Port 3/1
Direction : transmit/receive
Incoming Packets: disabled
Destination : Port 2/2
Admin Source : port 3/2
Oper Source : Port 3/2
Direction : transmit
Incoming Packets: disabled
Console> (enable)
To disable SPAN, perform this task in privileged mode:
Task
| Command
|
|---|
Disable SPAN on the switch.
| set span disable [dest_mod/dest_port | all]
|
This example shows how to disable SPAN on the switch:
Console> (enable) set span disable 2/1
Disabled monitoring of VLAN 522 transmit traffic by Port 2/1
Console> (enable)
Posted: Tue Aug 8 17:24:58 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.
