Evil_TTL> show | s

SPAN

Category:Cisco Systems -> Routing and Switching

Usage:

  • Traffic monitoring;
  • Data collection;
  • Mirroring traffic to a certain application, for example, for voice recording;
  • IDS/ IPS support.

Reference diagram:

SPAN-10.png

Basic SPAN configuration

Configuration example:

monitor session 1 source interface Gi1/0/Gi1/0/Gi1/0/9
monitor session 1 destination 
interface Gi1/0/24 

Extended SPAN configuration

TASK: Interesting traffic is switched over to port fa0/24 with ecapsulation retaining from the following sources:

  • Inbound to port fa0/19
  • Outbound from port fa0/10
  • Inbound and outbound traffic on interface fa0/20 (trunk)

VLANs 1, 2, 3, 4 and 219 are also excluded from trunk on port fa0/20

Configuration example:

monitor session 11 source interface fa0/18 rx
monitor session 11 source 
interface fa0/9 tx
monitor session 11 source 
interface fa0/19
monitor session 11 filter vlan 1 
229
monitor session 11 destination 
interface fa0/24 encapsulation replicate 

Restrictions

Key:

  • When you configure a destination port, its original configuration is overwritten. If the SPAN configuration is removed, the original configuration on that port is restored.
  • When you configure a destination port, the port is removed from any EtherChannel bundle if it were part of one. If it were a routed port, the SPAN destination configuration overrides the routed port configuration.
  • Destination ports do not support port security, 802.1x authentication, or private VLANs. In general, SPAN/RSPAN and 802.1x are incompatible.
  • Destination ports do not support any Layer 2 protocols, including CDP, Spanning Tree, VTP, DTP, and so on.

Functional conditions:

  • The source can be either one or more ports or a VLAN, but not a mix of these.
  • Up to 64 SPAN destination ports can be configured on a switch.
  • Switched or routed ports can be configured as SPAN source ports or SPAN destination ports.
  • Be careful to avoid overloading the SPAN destination port. A 100-Mbps source port can easily overload a 10-Mbps destination port; it’s even easier to overload a 100-Mbps destination port when the source is a VLAN.
  • Within a single SPAN session, you cannot deliver traffic to a destination port when it is sourced by a mix of SPAN and RSPAN source ports or VLANs. This restriction comes into play when you want to mirror traffic to both a local port on a switch (in SPAN) and a remote port on another switch (in RSPAN mode).
  • A SPAN destination port cannot be a source port, and a source port cannot be a destination port.
  • Only one SPAN/RSPAN session can send traffic to a single destination port.
  • A SPAN destination port ceases to act as a normal switchport. That is, it passes only SPAN- related traffic.
  • It’s possible to configure a trunk port as the source of a SPAN or RSPAN session. In this case, all VLANs on the trunk are monitored by default; the filter vlan command option can be configured to limit the VLANs being monitored in this situation.
  • Traffic that is routed from another VLAN to a source VLAN cannot be monitored with SPAN. An easy way to understand this concept is that only traffic that enters or exits the switch in a source port or VLAN is forwarded in a SPAN session. In other words, if the traffic comes from another source within the switch (by routing from another VLAN, for example), that traffic isn’t forwarded via SPAN.

SPAN and RSPAN support two types of traffic: transmitted and received. By default, SPAN is
enabled for traffic both entering and exiting the source port or VLAN. However, SPAN can be
configured to monitor just transmitted traffic or just received traffic. Some additional conditions
apply to these traffic types, as detailed in this list:

  • For Receive (RX) SPAN, the goal is to deliver all traffic received to the SPAN destination. As a result, each frame to be transported across a SPAN connection is copied and sent before any modification (for example, VACL or ACL filtering, QoS modification, or even ingress or egress policing).
  • For Transmit (TX) SPAN, all relevant filtering or modification by ACLs, VACLs, QoS, or policing actions are taken before the switch forwards the traffic to the SPAN/RSPAN destination. As a result, not all transmit traffic necessarily makes it to a SPAN destination. Also, the frames that are delivered do not necessarily match the original frames exactly, depending on policies applied before they are forwarded to the SPAN destination.
  • A special case applies to certain types of Layer 2 frames. SPAN/RSPAN usually ignores CDP, spanning-tree BPDUs, VTP, DTP, and PagP frames. However, these traffic types can be forwarded along with the normal SPAN traffic if the encapsulation replicate command is configured.

Troubleshooting

You can verify SPAN or RSPAN operation using the show monitor session command. From a
troubleshooting standpoint, it’s important to note that if the destination port is shut down, the
SPAN instance won’t come up. Once you bring the port up, the SPAN session will follow.

By privilege15