SPAN

Overview

Catalyst switches can use the Switched Port Analyzer (SPAN) feature to mirror traffic from one source switch port or VLAN to a destination port. This allows a monitoring device, such as a network analyzer or “sniffer,” to be attached to the destination port for capturing traffic.

SPAN is available in two different forms:

• Local SPAN
  Both the SPAN source and destination are located on the local switch. The source is one or more switch ports.
• Remote SPAN
  The SPAN source and destination are located on different switches. Mirrored traffic is copied over a special-purpose VLAN across trunks between switches from the source to the destination.

A monitor session can bind to multiple sources.

Traffic that is routed from another VLAN to a source VLAN cannot be monitored with SPAN. An easy way to understand this concept is that only traffic that enters or exits the switch in a source port or VLAN is forwarded in a SPAN session.

Configuration

Local SPAN

Define Source and Destination

Switch(config)# monitor session session-number source { interface type member/mod/num | vlan vlan-id }[ rx | tx | both ]
Switch(config)# monitor session session-number destination interface type member/mod/num [ encapsulation replicate ]

The source must be a physical interface or a Layer 2 VLAN or even an etherchannel, but not a logical VLAN interface or SVI. By default, both directions are used.

The destination must be a physical interface, not a VLAN SVI interface.

SPAN normally copies packets to the destination without any VLAN trunk tags. As well, SPAN does not normally copy Layer 2 protocols that are sent by the switch itself. Examples include Spanning Tree Protocol (STP) bridge protocol data units (BPDUs), Cisco Discovery Protocol (CDP), Virtual Trunking Protocol (VTP), Dynamic Trunking Protocol (DTP), and Page Aggregation Protocol (PAgP). If you want to capture any VLAN tagging information or the Layer 2 protocol packets, you can add the encapsulate replicate keywords.

Filter Unwanted VLAN Traffic in Trunk Source Port

If the SPAN source is a trunk port, you might want to mirror only traffic from specific VLANs on the trunk. You can specify a list of VLANs with the following global configuration command:

Switch(config)# monitor session session-number filter vlan vlan-range

2-way Communication in Destination Port

If you connect a device that also needs to transmit data back into the network, you can override the default SPAN behavior. Add the following command syntax to the monitor session destination command to allow ingress traffic:

Switch(config)# monitor session session_number destination { interface interface-id [, | -] [ encapsulation replicate] ingress { dot1q vlan vlan-id | isl | untagged vlan vlan-id }

You must specify how the ingress traffic should be handled. If the ingress traffic uses 802.1Q encapsulation, use the dot1q keyword and identify the default VLAN number. If the ingress traffic uses Inter-Switch Link (ISL) encapsulation, enter the isl keyword. Otherwise, if the ingress traffic is not encapsulated, use the untagged keyword and identify to which VLAN the traffic should be sent.

Example

Switch(config)# monitor session 1 source interface gigabitethernet1/0/1 both
Switch(config)# monitor session 1 destination interface gigabitethernet1/0/48

Remote SPAN

Define Source and Destination

SwitchA(config)# vlan vlan-id
SwitchA(config-vlan)# remote-span
SwitchA(config)# monitor session session-number source { interface type member/mod/num | vlan vlan-id }[ rx | tx | both ]
SwitchA(config)# monitor session session-number destination remote vlan rspan-vlan-id
SwitchB(config)# vlan vlan-id
SwitchB(config-vlan)# remote-span
SwitchB(config)# monitor session session-number source remote vlan rspan-vlan-id
SwitchB(config)# monitor session session-number destination interface type member/mod/num [ encapsulation replicate ]

Example

SwitchA(config)# vlan 99
SwitchA(config-vlan)# remote-span
SwitchA(config-vlan)# exit
SwitchA(config)# monitor session 1 source interface gigabitethernet 1/0/1 both
SwitchA(config)# monitor session 1 destination remote vlan 99

SwitchB(config)# vlan 99
SwitchB(config-vlan)# remote-span
SwitchB(config-vlan)# exit

SwitchC(config)# vlan 99
SwitchC(config-vlan)# remote-span
SwitchC(config-vlan)# exit
SwitchC(config)# monitor session 1 source remote vlan 99
SwitchC(config)# monitor session 1 destination interface gigabitethernet

ERSPAN

ASR1002(config)# monitor session 1 type erspan-source
ASR1002(config-mon-erspan-src)# source interface gig0/1/0 rx
ASR1002(config-mon-erspan-src)# no shutdown
ASR1002(config-mon-erspan-src)# destination
ASR1002(config-mon-erspan-src-dst)# erspan-id 101
ASR1002(config-mon-erspan-src-dst)# ip address 10.1.1.1
ASR1002(config-mon-erspan-src-dst)# origin ip address 172.16.1.1

SW6509(config)# monitor session 2 type erspan-destination
SW6509(config-mon-erspan-dst)# destination interface gigabitEthernet2/2/1
SW6509(config-mon-erspan-dst)# no shutdown
SW6509(config-mon-erspan-dst)# source
SW6509(config-mon-erspan-dst-src)# erspan-id 101
SW6509(config-mon-erspan-dst-src)# ip address 10.1.1.1

Managing SPAN Sessions

Switch# show monitor [session { session-number | all | local | range range-list | remote}] [detail]

Example

Switch# show monitor
Session 1
----------
Type                     : Local Session
Source Ports             :
    Both                 : Gi1/0/1
Destination Ports        : Gi1/0/48
    Encapsulation        : Native
          Ingress        : Disabled
Session 2
----------
Type                     : Remote Source Session
Source Ports             :
    Both                 : Gi1/0/1
Dest RSPAN VLAN          : 99
Switch#

Remove SPAN Sessions

Switch(config)# no monitor session { session | range session-range } | local | all }