Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(13)EA1
Configuring SPAN and RSPAN
Downloads: This chapterpdf (PDF - 361.0KB) The complete bookPDF (PDF - 11.03MB) | Feedback

Configuring SPAN and RSPAN

Table Of Contents

Configuring SPAN and RSPAN

Understanding SPAN and RSPAN

SPAN and RSPAN Concepts and Terminology

SPAN Session

Traffic Types

Source Port

Destination Port

Reflector Port

VLAN-Based SPAN

SPAN Traffic

SPAN and RSPAN Interaction with Other Features

SPAN and RSPAN Session Limits

Default SPAN and RSPAN Configuration

Configuring SPAN

SPAN Configuration Guidelines

Creating a SPAN Session and Specifying Ports to Monitor

Creating a SPAN Session and Enabling Ingress Traffic

Removing Ports from a SPAN Session

Specifying VLANs to Monitor

Specifying VLANs to Filter

Configuring RSPAN

RSPAN Configuration Guidelines

Creating an RSPAN Session

Creating an RSPAN Destination Session

Creating an RSPAN Destination Session and Enabling Ingress Traffic

Removing Ports from an RSPAN Session

Specifying VLANs to Monitor

Specifying VLANs to Filter

Displaying SPAN and RSPAN Status


Configuring SPAN and RSPAN


This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on your Catalyst 3550 switch.


Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.


This chapter consists of these sections:

Understanding SPAN and RSPAN

Configuring SPAN

Configuring RSPAN

Displaying SPAN and RSPAN Status

Understanding SPAN and RSPAN

You can analyze network traffic passing through ports or VLANs by using SPAN to send a copy of the traffic to another port on the switch that has been connected to a SwitchProbe device or other Remote Monitoring (RMON) probe or security device. SPAN mirrors received or transmitted (or both) traffic on a source port and received traffic on one or more source ports or source VLANs, to a destination port for analysis.

For example, in Figure 23-1, all traffic on port 5 (the source port) is mirrored to port 10 (the destination port). A network analyzer on port 10 receives all network traffic from port 5 without being physically attached to port 5.

Figure 23-1 Example SPAN Configuration

Only traffic that enters or leaves source ports or traffic that enters source VLANs can be monitored by using SPAN; traffic that gets routed to ingress source ports or source VLANs cannot be monitored. For example, if incoming traffic is being monitored, traffic that gets routed from another VLAN to the source VLAN is not monitored; however, traffic that is received on the source VLAN and routed to another VLAN is monitored.

RSPAN extends SPAN by enabling remote monitoring of multiple switches across your network. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. The SPAN traffic from the sources is copied onto the RSPAN VLAN through a reflector port and then forwarded over trunk ports that are carrying the RSPAN VLAN to any RSPAN destination sessions monitoring the RSPAN VLAN, as shown in Figure 23-2.

Figure 23-2 Example of RSPAN Configuration

SPAN and RSPAN do not affect the switching of network traffic on source ports or source VLANs; a copy of the packets received or sent by the source interfaces are sent to the destination interface.

You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) Sensor Appliance to a destination port, the IDS device can send TCP Reset packets to close down the TCP session of a suspected attacker.

SPAN and RSPAN Concepts and Terminology

This section describes concepts and terminology associated with SPAN and RSPAN configuration.

SPAN Session

A local SPAN session is an association of a destination port with source ports and source VLANs. An RSPAN session is an association of source ports and source VLANs across your network with an RSPAN VLAN. The destination source is the RSPAN VLAN.

You configure SPAN sessions by using parameters that specify the source of network traffic to monitor. Traffic monitoring in a SPAN session has these restrictions:

You can monitor incoming traffic on a series or range of ports and VLANs.

You can monitor outgoing traffic on a single port; you cannot monitor outgoing traffic on multiple ports.

You cannot monitor outgoing traffic on VLANs.

You can configure two separate SPAN or RSPAN sessions with separate or overlapping sets of SPAN source ports and VLANs. Both switched and routed ports can be configured as SPAN sources and destinations.

SPAN sessions do not interfere with the normal operation of the switch. However, an oversubscribed SPAN destination, for example, a 10-Mbps port monitoring a 100-Mbps port, results in dropped or lost packets.

You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active unless you enable the destination port and at least one source port or VLAN for that session. The show monitor session session_number privileged EXEC command displays the operational status of a SPAN session.

A SPAN session remains inactive after system power-on until the destination port is operational.

Traffic Types

SPAN sessions include these traffic types:

Receive (Rx) SPAN—The goal of receive (or ingress) SPAN is to monitor as much as possible all the packets received by the source interface or VLAN before any modification or processing is performed by the switch. A copy of each packet received by the source is sent to the destination port for that SPAN session. You can monitor a series or range of ingress ports or VLANs in a SPAN session.

On tagged packets (Inter-Switch Link [ISL] or IEEE 802.1Q), the tagging is removed at the ingress port. At the destination port, if tagging is enabled, the packets appear with the ISL or 802.1Q headers. If no tagging is specified, packets appear in the native format.

Packets that are modified because of routing are copied without modification for Rx SPAN; that is, the original packet is copied. Packets that are modified because of quality of service (QoS)—for example, modified Differentiated Services Code Point (DSCP)—are copied with modification for Rx SPAN.

Some features that can cause a packet to be dropped during receive processing have no effect on SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), IP standard and extended output ACLs for unicast and ingress QoS policing.VLAN maps, ingress QoS policing, and policy-based routing. Switch congestion that causes packets to be dropped also has no effect on SPAN.

Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch. A copy of each packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified.

Only one egress source port is allowed per SPAN session. VLAN monitoring is not supported in the egress direction.

Packets that are modified because of routing—for example, with a time-to-live (TTL) or MAC-address modification—are duplicated at the destination port. On packets that are modified because of QoS, the modified packet might not have the same DSCP (IP packet) or CoS (non-IP packet) as the SPAN source.

Some features that can cause a packet to be dropped during transmit processing might also affect the duplicated copy for SPAN. These features include VLAN maps, IP standard and extended output ACLs on multicast packets, and egress QoS policing. In the case of output ACLs, if the SPAN source drops the packet, the SPAN destination would also drop the packet. In the case of egress QoS policing, if the SPAN source drops the packet, the SPAN destination might not drop it. If the source port is oversubscribed, the destination ports will have different dropping behavior.

Both—In a SPAN session, you can monitor a single port for both received and sent packets.

Source Port

A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic analysis. In a single local SPAN session or RSPAN source session, you can monitor source port traffic such as received (Rx), transmitted (Tx), or bidirectional (both); however, on a VLAN, you can monitor only received traffic. The switch supports any number of source ports (up to the maximum number of available ports on the switch) and any number of source ingress VLANs (up to the maximum number of VLANs supported).

A source port has these characteristics:

It can be any port type (for example, EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth).

It can be monitored in multiple SPAN sessions.

It cannot be a destination port.

Each source port can be configured with a direction (ingress, egress, or both) to monitor. For EtherChannel sources, the monitored direction would apply to all the physical ports in the group.

Source ports can be in the same or different VLANs.

For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.

You can configure a trunk port as a source port. By default, all VLANs active on the trunk are monitored. You can limit SPAN traffic monitoring on trunk source ports to specific VLANs by using VLAN filtering. Only switched traffic in the selected VLANs is sent to the destination port. This feature affects only traffic forwarded to the destination SPAN port and does not affect the switching of normal traffic. This feature is not allowed in sessions with VLAN sources.

Destination Port

Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports and VLANs.

The destination port has these characteristics:

It must reside on the same switch as the source port (for a local SPAN session).

It can be any Ethernet physical port.

It can participate in only one SPAN session at a time (a destination port in one SPAN session cannot be a destination port for a second SPAN session).

It cannot be a source port or a reflector port.

It cannot be an EtherChannel group or a VLAN.

It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.

The port does not transmit any traffic except that required for the SPAN session.

If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.

It does not participate in spanning tree while the SPAN session is active.

When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP, or LACP).

A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored.

No address learning occurs on the destination port.

Reflector Port

The reflector port is the mechanism that copies packets onto an RSPAN VLAN. The reflector port forwards only the traffic from the RSPAN source session with which it is affiliated. Any device connected to a port set as a reflector port loses connectivity until the RSPAN source session is disabled.

The reflector port has these characteristics:

It is a port set to loopback.

It cannot be an EtherChannel group, it does not trunk, and it cannot do protocol filtering.

It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group is specified as a SPAN source. The port is removed from the group while it is configured as a reflector port.

A port used as a reflector port cannot be a SPAN source or destination port, nor can a port be a reflector port for more than one session at a time.

It is invisible to all VLANs.

The native VLAN for looped-back traffic on a reflector port is the RSPAN VLAN.

The reflector port loops back untagged traffic to the switch. The traffic is then placed on the RSPAN VLAN and flooded to any trunk ports that carry the RSPAN VLAN.

Spanning tree is automatically disabled on a reflector port.

If the bandwidth of the reflector port is not sufficient for the traffic volume from the corresponding source ports and VLANs, the excess packets are dropped. A 10/100 port reflects at 100 Mbps. A Gigabit port reflects at 1 Gbps.

VLAN-Based SPAN

VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. You can configure VSPAN to monitor only received (Rx) traffic, which applies to all the ports for that VLAN.

Use these guidelines for VSPAN sessions:

Only traffic on the monitored VLAN is sent to the destination port.

If a destination port belongs to a source VLAN, it is excluded from the source list and is not monitored.

If ports are added to or removed from the source VLANs, the traffic on the source VLAN received by those ports is added to or removed from the sources being monitored.

VLAN pruning and the VLAN allowed list have no effect on SPAN monitoring.

VSPAN only monitors traffic that enters the switch, not traffic that is routed between VLANs. For example, if a VLAN is being Rx-monitored and the multilayer switch routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored and is not received on the SPAN destination port.

You cannot use filter VLANs in the same session with VLAN sources.

You can monitor only Ethernet VLANs.

SPAN Traffic

You can use local SPAN to monitor all network traffic, including multicast and bridge protocol data unit (BPDU) packets, and Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), Port Aggregation Protocol (PagP), and Link Aggregation Control Protocol (LACP) packets. You cannot use RSPAN to monitor Layer 2 protocols. See the "RSPAN Configuration Guidelines" section for more information.

In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination port. For example, a bidirectional (both Rx and Tx) SPAN session is configured for the sources a1 Rx monitor and the a2 Rx and Tx monitor to destination port d1. If a packet enters the switch through a1 and is switched to a2, both incoming and outgoing packets are sent to destination port d1. Both packets are the same (unless a Layer 3 rewrite occurs, in which case the packets are different because of the added Layer 3 information).

SPAN and RSPAN Interaction with Other Features

SPAN interacts with these features:

Routing—Ingress SPAN does not monitor routed traffic. VSPAN only monitors traffic that enters the switch, not traffic that is routed between VLANs. For example, if a VLAN is being Rx-monitored and the multilayer switch routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored and not received on the SPAN destination port.

Spanning Tree Protocol (STP)—A destination port or a reflector port does not participate in STP while its SPAN or RSPAN session is active. The destination or reflector port can participate in STP after the SPAN or RSPAN session is disabled. On a source port, SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN.

Cisco Discovery Protocol (CDP)—A SPAN destination port does not participate in CDP while the SPAN session is active. After the SPAN session is disabled, the port again participates in CDP.

VLAN Trunking Protocol (VTP)—You can use VTP to prune an RSPAN VLAN between switches.

VLAN and trunking—You can modify VLAN membership or trunk settings for source, destination, or reflector ports at any time. However, changes in VLAN membership or trunk settings for a destination or reflector port do not take effect until you disable the SPAN or RSPAN session. Changes in VLAN membership or trunk settings for a source port immediately take effect, and the respective SPAN sessions automatically adjust accordingly.

EtherChannel—You can configure an EtherChannel group as a source port but not as a SPAN destination port. When a group is configured as a SPAN source, the entire group is monitored.

If a port is added to a monitored EtherChannel group, the new port is added to the SPAN source port list. If a port is removed from a monitored EtherChannel group, it is automatically removed from the source port list. If the port is the only port in the EtherChannel group, the EtherChannel group is removed from SPAN.

If a physical port that belongs to an EtherChannel group is configured as a SPAN source, destination, or reflector port, it is removed from the group. After the port is removed from the SPAN session, it rejoins the EtherChannel group. Ports removed from an EtherChannel group remain members of the group, but they are in the down or standalone state.

If a physical port that belongs to an EtherChannel group is a destination or reflector port and the EtherChannel group is a source, the port is removed from the EtherChannel group and from the list of monitored ports.

QoS—For ingress monitoring, the packets sent to the SPAN destination port might be different from the packets actually received at the SPAN source port because the packets are forwarded after ingress QoS classification and policing. The packet DSCP might not be the same as the received packet.

For egress monitoring, the packets sent out the SPAN destination port might not be the same as the packets sent out of SPAN source ports because the egress QoS policing at the SPAN source port might change the packet classification. QoS policing is not applied at SPAN destination ports.

Multicast traffic can be monitored. For egress and ingress port monitoring, only a single unedited packet is sent to the SPAN destination port. It does not reflect the number of times the multicast packet is sent.

Port security—A secure port cannot be a SPAN destination port.

For SPAN sessions, do not enable port security on ports that are egress monitored when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports that are egress monitored.

802.1X—You can enable 802.1X on a port that is a SPAN destination or reflector port; however, 802.1X is disabled until the port is removed as a SPAN destination or reflector port. You can enable 802.1X on a SPAN source port.

For SPAN sessions, do not enable 802.1X on ports that are egress monitored when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable 802.1X on any ports that are egress monitored.

SPAN and RSPAN Session Limits

You can configure (and store in NVRAM) a maximum of two SPAN or RSPAN sessions on each switch. You can divide the two sessions between SPAN, RSPAN source, and RSPAN destination sessions. You can configure multiple source ports or source VLANs for each session.

Default SPAN and RSPAN Configuration

Table 23-1 shows the default SPAN and RSPAN configuration.

Table 23-1 Default SPAN and RSPAN Configuration

Feature
Default Setting

SPAN state

Disabled.

Source port traffic to monitor

Both received and sent traffic (both); for additional source ports or VLANs, only received (rx) traffic can be monitored.

Encapsulation type (destination port)

Native form (no encapsulation type header).

Ingress forwarding (destination port)

Disabled.


Configuring SPAN

This section describes how to configure SPAN on your switch. It contains this configuration information:

SPAN Configuration Guidelines

Creating a SPAN Session and Specifying Ports to Monitor

Creating a SPAN Session and Enabling Ingress Traffic

Removing Ports from a SPAN Session

Specifying VLANs to Monitor

Specifying VLANs to Filter

SPAN Configuration Guidelines

Follow these guidelines when configuring SPAN:

SPAN sessions can coexist with RSPAN sessions within the limits described in the "SPAN and RSPAN Session Limits" section.

The destination port cannot be a source port; a source port cannot be a destination port.

You can have only one destination port per SPAN session. You cannot have two SPAN sessions using the same destination port.

An EtherChannel port can be a SPAN source port; it cannot be a SPAN destination port.

An 802.1X port can be a SPAN source port. You can enable 802.1X on a port that is a SPAN destination or reflector port; however, 802.1X is disabled until the port is removed as a SPAN destination or reflector port.

For SPAN source ports, you can monitor transmitted traffic for a single port and received traffic for a series or range of ports or VLANs.

When you configure a switch port as a SPAN destination port, it is no longer a normal switch port; only monitored traffic passes through the SPAN destination port.

A trunk port can be a source port or a destination port. Outgoing packets through the SPAN destination port carry the configured encapsulation headers—either Inter-Switch Link (ISL) or IEEE 802.1Q. If no encapsulation type is defined, the packets are sent in native form.

You can configure a disabled port to be a source or destination port, but the SPAN function does not start until the destination port and at least one source port or source VLAN are enabled.

For received traffic, you can mix multiple source port and source VLANs within a single SPAN session. You cannot mix source VLANs and filter VLANs within a SPAN session; you can have source VLANs or filter VLANs, but not both at the same time.

You can limit SPAN traffic to specific VLANs by using the filter vlan keyword. If a trunk port is being monitored, only traffic on the VLANs specified with this keyword is monitored. By default, all VLANs are monitored on a trunk port.

A SPAN destination port never participates in any VLAN spanning tree. SPAN does include BPDUs in the monitored traffic, so any spanning-tree BPDUs received on the SPAN destination port for a SPAN session were copied from the SPAN source ports.

When SPAN is enabled, configuration changes have these results:

If you change the VLAN configuration of a destination port, the change is not effective until SPAN is disabled.

If you disable all source ports or the destination port, the SPAN function stops until both a source and the destination port are enabled.

If the source is a VLAN, the number of ports being monitored changes when you move a port in or out of the monitored VLAN.

Creating a SPAN Session and Specifying Ports to Monitor

Beginning in privileged EXEC mode, follow these steps to create a SPAN session and specify the source (monitored) and destination (monitoring) ports:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

no monitor session {session_number | all | local | remote}

Clear any existing SPAN configuration for the session.

For session_number, specify 1 or 2.

Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions.

Step 3 

monitor session session_number source interface interface-id [, | -] [both | rx | tx]

Specify the SPAN session and the source port (monitored port).

For session_number, specify 1 or 2.

For interface-id, specify the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).

(Optional) [, | -] Specify a series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.

(Optional) Specify the direction of traffic to monitor. If you do not specify a traffic direction, the source interface sends both sent and received traffic. Only received (rx) traffic can be monitored on additional source ports.

both—Monitor both received and sent traffic.

rx—Monitor received traffic.

tx—Monitor sent traffic.

Step 4 

monitor session session_number destination interface interface-id [encapsulation {dot1q | isl}]

Specify the SPAN session and the destination port (monitoring port).

For session_number, specify 1 or 2.

For interface-id, specify the destination port. Valid interfaces include physical interfaces.

(Optional) Specify the encapsulation header for outgoing packets. If not specified, packets are sent in native form.

isl—Use ISL encapsulation.

dot1q—Use 802.1Q encapsulation.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show monitor [session session_number]

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to set up a SPAN session, session 1, for monitoring source port traffic to a destination port. First, any existing SPAN configuration for session 1 is cleared, and then bidirectional traffic is mirrored from source port 1 to destination port 10.

Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface fastEthernet0/1
Switch(config)# monitor session 1 destination interface fastEthernet0/10 
encapsulation dot1q
Switch(config)# end

Creating a SPAN Session and Enabling Ingress Traffic

Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source and destination ports, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance):

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

no monitor session {session_number | all | local | remote}

Clear any existing SPAN configuration for the session.

For session_number, specify 1 or 2.

Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions.

Step 3 

monitor session session_number source interface interface-id [, | -] [both | rx | tx]

Specify the SPAN session and the source port (monitored port).

For session_number, specify 1 or 2.

For interface-id, specify the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).

(Optional) [, | -] Specify a series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.

(Optional) Specify the direction of traffic to monitor. If you do not specify a traffic direction, the source interface sends both sent and received traffic. Only received (rx) traffic can be monitored on additional source ports.

both—Monitor both received and sent traffic.

rx—Monitor received traffic.

tx—Monitor sent traffic.

Step 4 

monitor session session_number destination interface interface-id [encapsulation {dot1q [ingress vlan vlan id] | ISL [ingress]} | ingress vlan vlan id]

Specify the SPAN session, the destination port (monitoring port), the packet encapsulation, and the ingress VLAN.

For session_number, specify 1 or 2.

For interface-id, specify the destination port. Valid interfaces include physical interfaces.

(Optional) Specify the encapsulation of the packets transmitted on the SPAN destination port. If no encapsulation is specified, all transmitted packets will be sent in native format (untagged).

Enter encapsulation dot1q to send native VLAN packets untagged and all other VLAN tx packets tagged dot1q.

Enter encapsulation isl to send all tx packets encapsulated using ISL.

(Optional) Specify whether forwarding is enabled for ingress traffic on the SPAN destination port.

For native (untagged) and dot1q encapsulation, specify ingress vlan vlan id to enable ingress forwarding with vlan id as the native VLAN; vlan id will also be used as the native VLAN for transmitted packets

Specify ingress to enable ingress forwarding when using ISL encapsulation.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show monitor [session session_number]

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that does not support 802.1Q encapsulation.

Switch(config)# monitor session 1 destination interface Fa 0/5 ingress vlan 5

This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports 802.1Q encapsulation.

Switch(config)# monitor session 1 destination interface Fa 0/5 encapsulation dot1q ingress 
vlan 5

This example shows how to disable ingress traffic forwarding on the destination port.

Switch(config)# monitor session 1 destination interface Fa 0/5 encapsulation dot1q

Removing Ports from a SPAN Session

Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

no monitor session session_number source interface interface-id [, | -] [both | rx | tx]

Specify the characteristics of the source port (monitored port) and SPAN session to remove.

For session, specify 1 or 2.

For interface-id, specify the source port to no longer monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).

(Optional) Use [, | -] to specify a series or range of interfaces if they were configured. This option is valid when monitoring only received traffic. Enter a space before and after the comma; enter a space before and after the hyphen.

(Optional) Specify the direction of traffic (both, rx, or tx) to no longer monitor. If you do not specify a traffic direction, both transmit and receive are disabled.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show monitor [session session_number]

Verify your entries.

Step 5 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To remove a source or destination port from the SPAN session, use the no monitor session session_number source interface interface-id global configuration command or the no monitor session session_number destination interface interface-id global configuration command. To change the encapsulation type back to the default (native), use the monitor session session_number destination interface interface-id without the encapsulation keyword.

This example shows how to remove port 1 as a SPAN source for SPAN session 1:

Switch(config)# no monitor session 1 source interface fastEthernet0/1
Switch(config)# end

This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring:

Switch(config)# no monitor session 1 source interface fastEthernet0/1 rx

The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored.

Specifying VLANs to Monitor

VLAN monitoring is similar to port monitoring. Beginning in privileged EXEC mode, follow these steps to specify VLANs to monitor:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

no monitor session {session_number | all | local | remote}

Clear any existing SPAN configuration for the session.

For session_number, specify 1 or 2.

Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions.

Step 3 

monitor session session_number source vlan vlan-id [, | -] rx

Specify the SPAN session and the source VLANs (monitored VLANs). You can monitor only received (rx) traffic on VLANs.

For session_number, specify 1 or 2.

For vlan-id, the range is 1 to 4094; do not enter leading zeros.

(Optional) Use a comma (,) to specify a series of VLANs, or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen.

Step 4 

monitor session session_number destination interface interface-id [encapsulation {dot1q | isl}]

Specify the SPAN session and the destination port (monitoring port).

For session_number, specify 1 or 2.

For interface-id, specify the destination port. Valid interfaces include physical interfaces.

(Optional) Specify the encapsulation header for outgoing packets. If not specified, packets are sent in native form.

isl—Use ISL encapsulation.

dot1q—Use 802.1Q encapsulation.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show monitor [session session_number]

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To remove one or more source VLANs or destination ports from the SPAN session, use the no monitor session session_number source vlan vlan-id rx global configuration command or the no monitor session session_number destination interface interface-id global configuration command.

This example shows how to clear any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination port 7. The configuration is then modified to also monitor received traffic on all ports belonging to VLAN 10.

Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source vlan 1 - 3 rx
Switch(config)# monitor session 2 destination interface gigabitethernet0/7
Switch(config)# monitor session 2 source vlan 10 rx
Switch(config)# end

Specifying VLANs to Filter

Beginning in privileged EXEC mode, follow these steps to limit SPAN source traffic to specific VLANs:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

no monitor session {session_number | all | local | remote}

Clear any existing SPAN configuration for the session.

For session_number, specify 1 or 2.

Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions.

Step 3 

monitor session session_number source interface interface-id rx

Specify the characteristics of the source port (monitored port) and SPAN session.

For session_number, specify 1 or 2.

For interface-id, specify the source port to monitor. The interface specified must already be configured as a trunk port.

Step 4 

monitor session session_number filter vlan vlan-id [, | -]

Limit the SPAN source traffic to specific VLANs.

For session_number, specify 1 or 2.

For vlan-id, the range is 1 to 4094; do not enter leading zeros.

(Optional) Use a comma (,) to specify a series of VLANs or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen.

Step 5 

monitor session session_number destination interface interface-id

Specify the characteristics of the destination port (monitoring port) and SPAN session.

For session_number, specify 1 or 2.

For interface-id, specify the destination port. Valid interfaces include physical interfaces.

Step 6 

end

Return to privileged EXEC mode.

Step 7 

show monitor [session session_number]

Verify your entries.

Step 8 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command.

This example shows how to clear any existing configuration on SPAN session 2, configure SPAN session 2 to monitor traffic received on trunk port 4, and send traffic for only VLANs 1 through 5 and 9 to destination port 8.

Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source interface gigabitethernet0/4 rx
Switch(config)# monitor session 2 filter vlan 1 - 5 , 9
Switch(config)# monitor session 2 destination interface gigabitethernet0/8
Switch(config)# end

Configuring RSPAN

This section describes how to configure RSPAN on your switch. It contains this configuration information:

RSPAN Configuration Guidelines

Creating an RSPAN Session

Creating an RSPAN Destination Session

Creating an RSPAN Destination Session and Enabling Ingress Traffic

Removing Ports from an RSPAN Session

Specifying VLANs to Monitor

Specifying VLANs to Filter

RSPAN Configuration Guidelines

Follow these guidelines when configuring RSPAN:

All the items in the "SPAN Configuration Guidelines" section apply to RSPAN.


Note As RSPAN VLANs have special properties, you should reserve a few VLANs across your network for use as RSPAN VLANs; do not assign access ports to these VLANs.



Note You can apply an output access control list (ACL) to RSPAN traffic to selectively filter or monitor specific packets. Specify these ACLs on the RSPAN VLAN in the RSPAN source switches.


RSPAN sessions can coexist with SPAN sessions within the limits described in the "SPAN and RSPAN Session Limits" section.

For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network.

A port cannot serve as an RSPAN source port or RSPAN destination port while designated as an RSPAN reflector port.

When you configure a switch port as a reflector port, it is no longer a normal switch port; only looped-back traffic passes through the reflector port.

RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.

The RSPAN VLAN is configured only on trunk ports and not on access ports. To avoid unwanted traffic in RSPAN VLANs, make sure that the VLAN remote-span feature is supported in all the participating switches. Access ports on the RSPAN VLAN are silently disabled.

RSPAN VLANs are included as sources for port-based RSPAN sessions when source trunk ports have active RSPAN VLANs. RSPAN VLANs can also be sources in SPAN sessions.

You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:

No access port is configured in the RSPAN VLAN.

The same RSPAN VLAN is used for an RSPAN session in all the switches.

All participating switches support RSPAN.


Note The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or VLAN IDs 1002 through 1005 (reserved to Token Ring and FDDI VLANs).


You should create an RSPAN VLAN before configuring an RSPAN source or destination session.

If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN-IDs that are lower than 1005.

Because RSPAN traffic is carried across a network on an RSPAN VLAN, the original VLAN association of the mirrored packets is lost. Therefore, RSPAN can only support forwarding of traffic from an IDS device onto a single user-specified VLAN.

Creating an RSPAN Session

First create an RSPAN VLAN that does not exist for the RSPAN session in any of the switches that will participate in RSPAN. With VTP enabled in the network, you can create the RSPAN VLAN in one switch, and VTP propagates it to the other switches in the VTP domain for VLAN-IDs that are lower than 1005. See the "Creating or Modifying an Ethernet VLAN" section for more information about creating an RSPAN VLAN.

Use VTP pruning to get efficient flow of RSPAN traffic, or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic.

After creating the RSPAN VLAN, begin in privileged EXEC mode, and follow these steps to start an RSPAN source session and to specify the source (monitored) ports and the destination RSPAN VLAN.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

no monitor session {session_number | all | local | remote}

Clear any existing RSPAN configuration for the session.

For session_number, specify 1 or 2.

Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions.

Step 3 

monitor session session_number source interface interface-id [, | -] [both | rx | tx]

Specify the RSPAN session and the source port (monitored port).

For session_number, specify 1 or 2.

For interface-id, specify the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).

(Optional) [, | -] Specify a series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.

(Optional) Specify the direction of traffic to monitor. If you do not specify a traffic direction, the source interface sends both sent and received traffic. Only received (rx) traffic can be monitored on additional source ports.

both—Monitor both received and sent traffic.

rx—Monitor received traffic.

tx—Monitor sent traffic.

Step 4 

monitor session session_number destination remote vlan vlan-id reflector-port interface

Specify the RSPAN session, the destination remote VLAN, and the reflector port.

For session_number, enter 1 or 2.

For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port. (See the "Creating or Modifying an Ethernet VLAN" section for more information about creating an RSPAN VLAN.)

For interface, specify the interface that will flood the RSPAN traffic onto the RSPAN VLAN.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show monitor [session session_number]

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to clear any existing RSPAN configuration for session 1, configure RSPAN session 1 to monitor multiple source interfaces, and configure the destination RSPAN VLAN and the reflector-port.

Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface fastEthernet0/10 tx
Switch(config)# monitor session 1 source interface fastEthernet0/2 rx
Switch(config)# monitor session 1 source interface fastEthernet0/3 rx
Switch(config)# monitor session 1 source interface port-channel 102 rx
Switch(config)# monitor session 1 destination remote vlan 901 reflector-port 
fastEthernet0/1
Switch(config)# end

Creating an RSPAN Destination Session

Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session and to specify the source RSPAN VLAN and the destination port:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

monitor session session_number source remote vlan vlan-id

Specify the RSPAN session and the source RSPAN VLAN.

For session_number, specify 1 or 2.

For vlan-id, specify the source RSPAN VLAN to monitor.

Step 3 

monitor session session_number destination interface interface-id [encapsulation {dot1q | isl}]

Specify the RSPAN session and the destination interface.

For session_number, specify 1 or 2.

For interface-id, specify the destination interface.

(Optional) Specify the encapsulation header for outgoing packets. If not specified, packets are sent in native form.

isl—Use ISL encapsulation.

dot1q—Use 802.1Q encapsulation.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show monitor [session session_number]

Verify your entries.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to configure VLAN 901 as the source remote VLAN and port 5 as the destination interface:

Switch(config)# monitor session 1 source remote vlan 901
Switch(config)# monitor session 1 destination interface fastEthernet0/5
Switch(config)# end

Creating an RSPAN Destination Session and Enabling Ingress Traffic

Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to specify the source RSPAN VLAN, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance):

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

monitor session session_number source remote vlan vlan-id

Specify the RSPAN session and the source RSPAN VLAN.

For session_number, specify 1 or 2.

For vlan-id, specify the source RSPAN VLAN to monitor.

Step 3 

monitor session session_number destination interface interface-id [encapsulation {dot1q [ingress vlan vlan id] | ISL [ingress]} | ingress vlan vlan id]

Specify the RSPAN session, the destination port, the packet encapsulation, and the ingress VLAN.

For session_number, specify 1 or 2.

For interface-id, specify the destination port. Valid interfaces include physical interfaces.

(Optional) Specify the encapsulation of the packets transmitted on the RSPAN destination port. If no encapsulation is specified, all transmitted packets will be sent in native format (untagged).

Enter encapsulation dot1q to send native VLAN packets untagged and all other VLAN tx packets tagged dot1q.

Enter encapsulation isl to send all tx packets encapsulated using ISL.

(Optional) Specify whether forwarding is enabled for ingress traffic on the SPAN destination port.

For native (untagged) and dot1q encapsulation, specify ingress vlan vlan id to enable ingress forwarding with vlan id as the native VLAN; vlan id will also be used as the native VLAN for transmitted packets.

Specify ingress to enable ingress forwarding when using ISL encapsulation.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show monitor [session session_number]

Verify your entries.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to configure VLAN 901 as the source remote VLAN and how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports 802.1Q encapsulation:

Switch(config)# monitor session 1 source remote vlan 901
Switch(config)# monitor session 1 destination interface fastEthernet0/5 ingress vlan 5
Switch(config)# end

Removing Ports from an RSPAN Session

Beginning in privileged EXEC mode, follow these steps to remove a port as an RSPAN source for a session:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

no monitor session session_number source interface interface-id [, | -] [both | rx | tx]

Specify the characteristics of the RSPAN source port (monitored port) to remove.

For session_number, specify 1 or 2.

For interface-id, specify the source port to no longer monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).

(Optional) Use [, | -] to specify a series or range of interfaces if they were configured. Enter a space before and after the comma; enter a space before and after the hyphen.

(Optional) Specify the direction of traffic (both, rx, or tx) to no longer monitor. If you do not specify a traffic direction, both transmit and receive are disabled.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show monitor [session session_number]

Verify your entries.

Step 5 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to remove port 1 as an RSPAN source for RSPAN session 1:

Switch(config)# no monitor session 1 source interface fastEthernet0/1
Switch(config)# end

This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring:

Switch(config)# no monitor session 1 source interface fastEthernet0/1 rx

The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored.

Specifying VLANs to Monitor

VLAN monitoring is similar to port monitoring. Beginning in privileged EXEC mode, follow these steps to specify VLANs to monitor:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

no monitor session {session_number | all | local | remote}

Clear any existing SPAN configuration for the session.

For session_number, specify 1 or 2.

Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions.

Step 3 

monitor session session_number source vlan vlan-id [, | -] rx

Specify the RSPAN session and the source VLANs (monitored VLANs). You can monitor only received (rx) traffic on VLANs.

For session_number, specify 1 or 2.

For vlan-id, the range is 1 to 4094; do not enter leading zeros.

(Optional) Use a comma (,) to specify a series of VLANs, or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen.

Step 4 

monitor session session_number destination remote vlan vlan-id reflector port interface

Specify the RSPAN session, the destination remote VLAN, and the reflector port.

For session_number, enter 1 or 2.

For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port.

For interface, specify the interface that will flood the RSPAN traffic to the RSPAN VLAN.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show monitor [session session_number]

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To remove one or more source VLANs from the RSPAN session, use the no monitor session session_number source vlan vlan-id rx global configuration command.

This example shows how to clear any existing configuration on RSPAN session 2, configure RSPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination remote VLAN 902 using reflector port 7. The configuration is then modified to also monitor received traffic on all ports belonging to VLAN 10.

Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source vlan 1 - 3 rx
Switch(config)# monitor session 2 destination remote vlan 902 reflector-port 
gigabitethernet0/7
Switch(config)# monitor session 2 source vlan 10 rx
Switch(config)# end

Specifying VLANs to Filter

Beginning in privileged EXEC mode, follow these steps to limit RSPAN source traffic to specific VLANs:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

no monitor session {session_number | all | local | remote}

Clear any existing SPAN configuration for the session.

For session_number, specify 1 or 2.

Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions.

Step 3 

monitor session session_number source interface interface-id rx

Specify the characteristics of the source port (monitored port) and RSPAN session.

For session_number, specify 1 or 2.

For interface-id, specify the source port to monitor. The interface specified must already be configured as a trunk port.

Step 4 

monitor session session_number filter vlan vlan-id [, | -]

Limit the RSPAN source traffic to specific VLANs.

For session_number, specify 1 or 2.

For vlan-id, the range is 1 to 4094; do not enter leading zeros.

(Optional) Use a comma (,) to specify a series of VLANs or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen.

Step 5 

monitor session session_number destination remote vlan vlan-id reflector port interface

Specify the RSPAN session, the destination remote VLAN, and the reflector port.

For session_number, enter 1 or 2.

For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port.

For interface, specify the interface that will flood the RSPAN traffic to the RSPAN VLAN.

Step 6 

end

Return to privileged EXEC mode.

Step 7 

show monitor [session session_number]

Verify your entries.

Step 8 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To monitor all VLANs on the trunk port, use the no monitor session session_number filter vlan global configuration command.

This example shows how to clear any existing configuration on RSPAN session 2, configure RSPAN session 2 to monitor traffic received on trunk port 4, and send traffic for only VLANs 1 through 5 and 9 to destination remote VLAN 902 with port 8 as the reflector port.

Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source interface gigabitethernet0/4 rx
Switch(config)# monitor session 2 filter vlan 1 - 5 , 9
Switch(config)# monitor session 2 destination remote vlan 902 reflector-port 
gigabitethernet0/8
Switch(config)# end

Displaying SPAN and RSPAN Status

To display the status of the current SPAN or RSPAN configuration, use the show monitor privileged EXEC command.

This is an example of output for the show monitor privileged EXEC command for SPAN source session 1:

Switch# show monitor session 1
Session 1
---------
Type              : Local Session
Source Ports      :
    RX Only       : None
    TX Only       : None
    Both          : Fa0/4
Source VLANs      :
    RX Only       : None
    TX Only       : None
    Both          : None
Source RSPAN VLAN : None
Destination Ports : Fa0/5
    Encapsulation: DOT1Q
          Ingress: Enabled, default VLAN = 5
Reflector Port    : None
Filter VLANs      : None
Dest RSPAN VLAN   : None