Information About SPAN
SPAN analyzes all traffic between source ports by directing the SPAN session traffic to a destination port with an external analyzer attached to it.
You can define the sources and destinations to monitor in a SPAN sessions on the local device.
This section includes the following topics:
SPAN Sources
The interfaces from which traffic can be monitored are called SPAN sources. Sources designate the traffic to monitor and whether to copy ingress, egress, or both directions of traffic. SPAN sources include the following:
-
Ethernet ports
-
VLANs—When a VLAN is specified as a SPAN source, all supported interfaces in the VLAN are SPAN sources.
-
Remote SPAN (RSPAN) VLANs
Note A single SPAN session can include mixed sources in any combination of the above.
Characteristics of Source Ports
SPAN source ports have the following characteristics:
-
A port configured as a source port cannot also be configured as a destination port.
-
An RSPAN VLAN can only be used as a SPAN source.
SPAN Destinations
SPAN destinations refer to the interfaces that monitor source ports. Destination ports receive the copied traffic from SPAN sources.
Characteristics of Destination Ports
SPAN destination ports have the following characteristics:
-
Destinations for a SPAN session include Ethernet ports or port-channel interfaces in either access or trunk mode.
-
A port configured as a destination port cannot also be configured as a source port.
-
A destination port can be configured in only one SPAN session at a time.
-
Destination ports do not participate in any spanning tree instance. SPAN output includes Bridge Protocol Data Unit (BPDU) Spanning-Tree Protocol hello packets.
-
An RSPAN VLAN cannot be used as a SPAN destination.
-
You can configure SPAN destinations to inject packets to disrupt a certain TCP packet stream in support of the Intrusion Detection System (IDS).
-
You can configure SPAN destinations to enable a forwarding engine to learn the MAC address of the IDS.
SPAN Sessions
You can create up to 18 SPAN sessions designating sources and destinations to monitor.
Note Only two SPAN sessions can be running simultaneously.
Figure 12-1 shows a SPAN configuration. Packets on three Ethernet ports are copied to destination port Ethernet 2/5. Only traffic in the direction specified is copied.
Figure 12-1 SPAN Configuration
.
Virtual SPAN Sessions
You can create a virtual SPAN session to monitor multiple VLAN sources and choose only VLANs of interest to transmit on multiple destination ports. For example, you can configure SPAN on a trunk port and monitor traffic from different VLANs on different destination ports.
Figure 12-2 shows a virtual SPAN configuration. The virtual SPAN session copies traffic from the three VLANs to the three specified destination ports. You can choose which VLANs to allow on each destination port to limit the traffic that the device transmits on it. In Figure 12-2, the device transmits packets from one VLAN at each destination port.
Note Virtual SPAN sessions cause all source packets to be copied to all destinations, whether the packets are required at the destination or not. VLAN traffic filtering occurs at the egress destination port level.
Figure 12-2 Virtual SPAN Configuration
.
For information about configuring a virtual SPAN session, see the “Configuring a Virtual SPAN Session” section.
Multiple SPAN Sessions
Although you can define up to 18 SPAN sessions, only two SPAN sessions can be running simultaneously. You can shut down an unused SPAN session.
For information about shutting down SPAN sessions, see the “Shutting Down or Resuming a SPAN Session” section.
High Availability
The SPAN feature supports stateless and stateful restarts. After a reboot or supervisor switchover, Cisco NX-OS applies the running configuration.
Virtualization Support
A virtual device context (VDC) is a logical representation of a set of system resources. SPAN applies only to the VDC where the commands are entered.
For information about configuring VDCs, see the
Cisco DCNM Virtual Device Context Configuration Guide, Release 4.x
.
Configuring SPAN
This section includes the following topics:
Configuring a SPAN Session
You can configure a SPAN session on the local device only. By default, SPAN sessions are created in the shut state.For sources, you can specify Ethernet ports, port channels, VLANs, and RSPAN VLANs. You can specify private VLANs (primary, isolated, and community) in SPAN sources. .
For destination ports, you can specify Ethernet ports or port-channels in either access or trunk mode. You must enable monitor mode on all destination ports.
BEFORE YOU BEGIN
-
A single SPAN session can include mixed sources in any combination of Ethernet ports or VLANs.
-
You must have already configured the destination ports in access or trunk mode. For more information, see the
Cisco DCNM Interfaces Configuration Guide, Release 4.x
.
DETAILED STEPS
To configure a SPAN session, follow these steps:
Step 1 From the Feature Selector pane, choose
Interfaces > Traffic Monitoring > SPAN
. The available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the device that you want to configure with a SPAN session to display the configured SPAN sessions.
Step 3 (Optional) To delete a SPAN session that you are no longer using, right-click the SPAN session and choose
Delete
.
Step 4 (Optional) To configure a new SPAN session, from the menu bar choose
File > New Local SPAN Session
. By default, SPAN sessions are created in the shut state.
a. (Only the first time you create a SPAN session) From the Summary pane, double-click the device that you want to configure with a SPAN session to display the configured SPAN sessions.
b. (Optional) To modify the session number, from the Summary pane, double-click the Session Id field and enter a session number from 1 to 18.
Note You can only modify the session number immediately after you create the session.
Step 5 From the Summary pane, choose the SPAN session to configure.
Step 6 From the Details pane, click the
Configuration
tab and expand the
Session Settings
section, if necessary.
Step 7 (Optional) To add a description of the SPAN session, specify it in the Description field.
Step 8 (Optional) In the Filtered VLANs field, click the down arrow to display and choose from the configured VLANs.
Step 9 Add source Ethernet ports to the SPAN session as follows:
a. From the Ports
association
panel, double-click the device and then double-click the desired slot to display ports.
b. Choose the port, right-click on the port row, and choose
Add to SPAN Source
to add this port to the SPAN session sources.
Step 10 Add source VLANs or RSPAN VLANs to the SPAN session as follows:
a. From the VLANs
association
panel, double-click the device to display the configured VLANs.
b. Choose the VLAN, right-click on the VLAN row, and choose
Add to SPAN Source
to add this VLAN to the SPAN session sources.
Step 11 Add destination Ethernet ports to the SPAN session as follows:
a. From the Ports
association
panel, double-click the device and then double-click the desired slot to display ports.
b. Choose an access or trunk port.
c. In the Monitor column check the check box to enable monitoring on this port.
d. Right-click on the port row and choose
Add to SPAN Destination
to add this port to the SPAN session destinations.
Step 12 (Optional) To modify SPAN session source settings, follow these steps:
a. From the
Details
pane, click the
Configuration
tab and expand the
Source and Destination
section, if necessary.
b. To modify the ingress or egress choice for a source, check or uncheck the
Ingress
or
Egress
check box to activate the desired direction to monitor. By default, both ingress and egress are monitored.
c. To delete a SPAN source or destination, choose the source or destination entry, right-click on it, and choose
Delete
.
Step 13 From the menu bar, choose
File > Deploy
to apply your changes to the device.
Configuring a Virtual SPAN Session
You can configure a virtual SPAN session to copy packets from source ports, VLANs, and RSPAN VLANs to destination ports on the local device. By default, SPAN sessions are created in the shut state.
For sources, you can specify ports, VLANs, or RSPAN VLANs.
For destination ports, you can specify Ethernet ports. You can choose which VLANs to allow on each destination port to limit the traffic that the device transmits on it.
BEFORE YOU BEGIN
-
You have already configured the destination ports in trunk mode. For more information, see the
Cisco DCNM Interfaces Configuration Guide, Release 4.x
.
DETAILED STEPS
To configure a virtual SPAN session, follow these steps:
Step 1 From the Feature Selector pane, choose
Interfaces > Traffic Monitoring > SPAN
. The available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the device that you want to configure with a SPAN session to display the configured SPAN sessions.
Step 3 (Optional) To delete a SPAN session that you are no longer using, right-click the SPAN session and choose
Delete
.
Step 4 (Optional) To configure a new SPAN session, from the menu bar choose
File > New Local SPAN Session
. By default, SPAN sessions are created in the shut state.
a. (Only the first time you create a SPAN session) From the Summary pane, double-click the device that you want to configure with a SPAN session to display the configured SPAN sessions.
b. (Optional) To modify the session number, from the Summary pane, double-click the Session Id field and enter a session number from 1 to 18.
Note You can only modify the session number immediately after you create the session.
Step 5 From the Summary pane, choose the SPAN session to configure.
Step 6 From the Details pane, click the
Configuration
tab and expand the
Session Settings
section, if necessary.
Step 7 (Optional) To add a description of the SPAN session, specify it in the
Description
field.
Step 8 (Optional) To add VLANs to filter (include) in the SPAN session, in the Filtered VLANs field, down array to displays the configured VLANs that you can choose.
Step 9 Add source Ethernet ports to the SPAN session as follows:
a. From the Ports
association
panel, double-click the device and then double-click the desired slot to display ports.
b. Choose the port, right-click on the port row, and choose
Add to SPAN Source
to add this port to the SPAN session sources.
Step 10 Add source VLANs or RSPAN VLANs to the SPAN session as follows:
a. From the VLANs
association
panel, double-click the device to display the configured VLANs.
b. Choose the VLAN, right-click on the VLAN row, and choose
Add to SPAN Source
to add this VLAN to the SPAN session sources.
Step 11 Add destination Ethernet ports to the SPAN session as follows:
a. From the Ports
association
panel, double-click the device and then double-click the desired slot to display ports.
b. Choose an access or trunk port.
c. In the Monitor column check the check box to enable monitoring on this port.
d. Right-click on the port row and choose
Add to SPAN Destination
to add this port to the SPAN session destinations.
Step 12 Limit the VLANs allowed on a trunk port by following these steps:
a. From the Feature Selector pane, choose
Interfaces > Physical > Ethernet
. The available devices appear in the Summary pane.
b. From the Summary pane, double-click the device and then double-click the slot that you want to configure.
c. Choose the trunk port to configure.
d. From the Details pane, click the
Port Details
tab and expand the
Port Mode Settings
section, if necessary.
e. Limit the VLANs on the trunk by clicking the Allowed VLANs field. The field displays configured VLANs that you can choose.
Step 13 From the menu bar, choose
File > Deploy
to apply your changes to the device.
Configuring an RSPAN VLAN
You can specify a remote SPAN (RSPAN) VLAN as a SPAN session source.
DETAILED STEPS
To configure an RSPAN VLAN, follow these steps:
Step 1 From the Feature Selector pane, choose
Switching > VLAN
. The available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the device that you want to configure.
Step 3 Choose the VLAN to configure.
Step 4 From the Details pane, click the
VLAN Details
tab and expand the
Advanced Settings
section, if necessary.
Step 5 Check the
RSPAN VLAN
check box.
Step 6 From the menu bar, choose
File > Deploy
to apply your changes to the device.
Shutting Down or Resuming a SPAN Session
You can shut down SPAN sessions to discontinue the copying of packets from sources to destinations. Because only two SPAN sessions can be running simultaneously, you can shut down one session in order to free hardware resources to enable another session. By default, SPAN sessions are created in the shut state.
You can resume (enable) SPAN sessions to resume the copying of packets from sources to destinations. In order to enable a SPAN session that is already enabled but operationally down, you must first shut it down and then enable it.
DETAILED STEPS
To shut down or resume (enable) a SPAN session, follow these steps:
Step 1 From the Feature Selector pane, choose
Interfaces > Traffic Monitoring > SPAN
.
The available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the device to display the configured SPAN sessions.
Step 3 From the Summary pane, choose the SPAN session to configure.
Step 4 From the Details pane, click the
Configuration
tab and expand the
Session Settings
section, if necessary.
Step 5 Resume (enable) the SPAN session by choosing
Up
in the Admin Status field.
Step 6 Shut down the SPAN session by choosing
Down
in the Admin Status field.
Note If a monitor session is enabled but its operational status is down, then to enable the session you must first shut down the session followed by resuming the session.