Configuring SPAN

SPAN selects network traffic for analysis by a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe. SPAN mirrors traffic from one or more source ports on any VLAN, from one or more VLANs, or from the sc0 console interface to a destination port for analysis (see Figure 22-1). In Figure 22-1, all traffic on Ethernet port 5 (the source port) is mirrored to Ethernet port 10. A network analyzer on Ethernet port 10 receives all network traffic from Ethernet port 5 without being physically attached to it.

Figure 22-1: Example SPAN Configuration

For SPAN configuration, the source ports and the destination port must be on the same switch.

SPAN does not affect the switching of network traffic on source ports; a copy of the packets received or transmitted by the source ports are sent to the destination port.

SPAN Concepts and Terminology

This section describes concepts and terminology associated with SPAN configuration.

SPAN Session

A SPAN session is an association of a destination port with a set of source ports; you configure SPAN sessions using parameters that specify the type of network traffic to monitor. SPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send either ingress traffic, egress traffic, or both to one or more destination ports. You can configure two separate SPAN sessions with separate or overlapping sets of SPAN source ports or VLANs. Both switched and routed ports can be configured as SPAN sources.

SPAN sessions do not interfere with the normal operation of the switch. You can enable or disable SPAN sessions with command-line interface (CLI) or SNMP commands. When enabled, a SPAN session might become active or inactive based on various events or actions, and this would be indicated by a syslog message. The show monitor session SPAN session number command displays the operational status of a SPAN session.

A SPAN session will remain inactive after system power-up until the destination port is operational.

Destination Port

A destination port (also called a monitor port) is a switched or routed port where SPAN sends packets for analysis. You can have up to 64 SPAN destination ports. Once a port becomes an active destination port, incoming traffic is disabled; the port does not forward any traffic except that required for the SPAN session.

A port specified as a destination port in one SPAN session, cannot be a destination port for a second SPAN session. A port configured as a destination port cannot be configured as a source port. EtherChannel ports cannot be SPAN destination ports.

Specifying a trunk port as a SPAN destination port stops trunking on the port.

Source Port

A source port is a switch port monitored for network traffic analysis. One or more source ports can be monitored in a single SPAN session with user-specified traffic types (ingress, egress, or both) applicable for all the source ports. You can have only one egress port and up to 64 ingress ports.

You can configure source ports in any VLAN. You can configure VLANs as source ports, which means that all ports in the specified VLANs are source ports for the SPAN session.

Trunk ports can be configured as source ports and mixed with nontrunk source ports; however, the destination port never encapsulates, so you do not see any encapsulation out of the SPAN destination port.

Traffic Types

Ingress SPAN (Rx) copies network traffic received by the source ports for analysis at the destination port. Egress SPAN (Tx) copies network traffic transmitted from the source ports. Specifying the configuration option "both" copies network traffic received and transmitted by the source ports to the destination port.

VLAN-Based SPAN

VLAN-based SPAN is analysis of the network traffic in one or more VLANs. You can configure VLAN based-SPAN as ingress SPAN, egress SPAN, or both. All the ports in the source VLANs become source ports for the VLAN based-SPAN session.

Use the following guidelines for VLAN-based SPAN sessions:

Trunk ports are included as source ports for VLAN-based SPAN sessions. By default, all VLANs are monitored on a trunk port.
For VLAN-based SPAN sessions with both ingress and egress SPAN configured, two packets are forwarded by the SPAN destination port if the packets get switched on the same VLAN.
When a VLAN is cleared, it is removed from the source list for VLAN-based SPAN sessions.
Inactive VLANs are not allowed for VLAN-based SPAN configuration.
If a VLAN is being ingress monitored and the Multilayer Switch Feature Card (MSFC) routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored---it is not seen on the SPAN destination port. Additionally, traffic that gets routed from an egress-monitored VLAN to some other VLAN does not get monitored. VLAN-based SPAN only monitors traffic that leaves or enters the switch, not traffic that gets routed between VLANs.

SPAN Traffic

All network traffic, including multicast and bridge protocol data unit (BPDU) packets, can be monitored using SPAN. Multicast packet monitoring is enabled by default.

In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination port. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination port d1. If a packet enters the switch through a1 and gets switched to a2, both incoming and outgoing packets are sent to destination port d1; both packets would be the same (unless a Layer-3 rewrite had occurred, in which case the packets would be different).

Configuring SPAN

This section consists of the following:

SPAN Configuration Guidelines

Follow these guidelines when configuring SPAN:

Use a network analyzer to monitor ports.
You can mix individual source ports and source VLANs within a single SPAN session. You cannot mix source VLANs and filter VLANs within a SPAN session. You can have source VLANs or filter VLANs, but not both at the same time.
For SPAN source ports you can have only one egress port and up to 64 ingress ports.
You can have up to 64 SPAN destination ports.
EtherChannel ports can be SPAN source ports, they cannot be SPAN destination ports.
When enabled, SPAN uses any previously entered configuration.
When you specify source ports and do not specify a traffic type (Tx, Rx, or both), "both" is used as the default.
If you specify multiple SPAN source ports, the ports can belong to different VLANs.
You can limit SPAN traffic to specific VLANs by using the filter vlan keyword. If a trunk port is being monitored, only traffic on the set of VLANs specified by this keyword is monitored. By default, all VLANs are monitored on a trunk port.
The [no] version of the monitor session SPAN session number command lets you remove one or more source or destination ports from the SPAN session, or a source VLAN from the SPAN session. If you do not specify any arguments after the monitor session SPAN session number argument, the entire SPAN session is removed. Also, no monitor <cr> clears all SPAN sessions.
SPAN destination ports never participate in any VLAN's spanning tree. SPAN does include BPDUs in the monitored traffic, so any spanning tree BPDUs seen on the SPAN destination port for a SPAN session were copied from the SPAN source ports.

Configuring SPAN from the CLI

This section describes the configuration options available for the SPAN feature:

These configuration commands are available to configure a SPAN session:

Command Purpose

Router(config)# no monitor session¹ session number
Clear existing SPAN configuration for a session.

Router(config)# monitor session {session number}
{source {interface type/num} | {vlan vlan num}}
[, | - | rx | tx | both]
Specify the SPAN session number (1 or 2) and source ports or source VLANs and direction of traffic to be monitored on the source ports or source VLANs.

Router(config)# monitor session {session number}
{destination {interface type/num} [, | - ] | {vlan vlan num}}
Specify the SPAN session number (1 or 2) and the destination ports or destination VLANs.

Router(config)# monitor session {session number}
{filter {vlan num} [, | - ]}
The filter keyword can be used to limit SPAN traffic to specific VLANs.

¹The no monitor session command can be used with arguments to clear specific configuration parameters. See the "Removing Ports from a SPAN Session" section for details.

Command	Purpose
Router(config)# no monitor session¹ session number	Clear existing SPAN configuration for a session.
Router(config)# monitor session {session number} {source {interface type/num} \| {vlan vlan num}} [, \| - \| rx \| tx \| both]	Specify the SPAN session number (1 or 2) and source ports or source VLANs and direction of traffic to be monitored on the source ports or source VLANs.
Router(config)# monitor session {session number} {destination {interface type/num} [, \| - ] \| {vlan vlan num}}	Specify the SPAN session number (1 or 2) and the destination ports or destination VLANs.
Router(config)# monitor session {session number} {filter {vlan num} [, \| - ]}	The filter keyword can be used to limit SPAN traffic to specific VLANs.

Creating a SPAN Session and Specify Ports to be Monitored

This example shows how to set up a SPAN session, session 1, for monitoring source ports to a destination port. First, any existing SPAN configuration for session 1 is cleared, and then bidirectional traffic is spanned from source port f5/1 to destination port f5/48. Traffic that is received on port f5/2 is then added as an additional SPAN source for session 1. Finally, traffic that is received on
ports f5/3-6 is added as additional SPAN sources.

Router(config)# no monitor session 1
Router(config)# monitor session 1 source int f5/1
Router(config)# monitor session 1 dest int f5/48
Router(config)# monitor session 1 source int f5/2 rx
Router(config)# monitor session 1 source int f5/3 - 6 rx

In this example, SPAN session 2 is created. First, any existing SPAN configuration for session 2 is cleared, and then traffic that is received on port f5/30 is specified as a SPAN source. Traffic that is transmitted on port f5/29 is added as another source. The destination ports are then specified as ports f5/46-47.

Router(config)# no monitor session 2
Router(config)# monitor session 2 source int f5/30 rx
Router(config)# monitor session 2 source int f5/29 tx
Router(config)# monitor session 2 dest int f5/46 - 47

Removing Ports from a SPAN Session

This example shows how to remove port f5/2 as a SPAN source for SPAN session 1:

Router(config)# no monitor session 1 source int f5/2

Note that a direction keyword is not specified. When using the no monitor session command to remove ports from a SPAN session, if you do not specify a direction, both tx or rx are turned off.

This example turns off receive traffic monitoring on port f5/1 which was configured for bidirectional monitoring:

Router(config)# no monitor session 1 source int f5/1 rx

The monitoring of traffic received on port f5/1 is turned off, but traffic transmitted from this port continues to be monitored.

Specifying VLANs to be Monitored

Monitoring VLANs is similar to monitoring ports. This example clears any existing configuration on SPAN session 2, configures SPAN session 2 to monitor bidirectional traffic on all ports belonging to VLAN 1, and sends it to destination port f5/47. The configuration is then modified to monitor received traffic on all ports belonging to VLAN 10.

Router(config)# no monitor session 2
Router(config)# monitor session 2 source vlan 1 
Router(config)# monitor session 2 dest int f5/47
Router(config)# monitor session 2 source vlan 10 rx

Specifying VLANs to be Filtered

This example clears any existing configuration on SPAN session 2, configures SPAN session 2 to monitor traffic received on trunk port f5/12, and sends it to destination port f5/45 but only on VLANs 1 through 5 and 9.

Router(config)# no monitor session 2
Router(config)# monitor session 2 source int f5/12 rx
Router(config)# monitor session 2 dest int f5/45
Router(config)# monitor session 2 filter vlan 1 - 5 , 9

Showing the SPAN Configuration

Use the show monitor command to show the current SPAN configuration (session 2 is specified in this example):

Router# show monitor session 2
Session 2
---------
Source Ports:
    RX Only:       Fa5/12
    TX Only:       None
    Both:          None
Source VLANs:
    RX Only:       None
    TX Only:       None
    Both:          None
Destination Ports: Fa5/45
Filter VLANs:      1-5,9 
Router#

Table of Contents

Configuring SPAN