Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.1(19)EW - Configuring SPAN [Cisco Catalyst 4500 Series Switches]

Table Of Contents

Configuring SPAN

Overview of SPAN

SPAN Session

Destination Interface

Source Interface

Traffic Types

VLAN-Based SPAN

SPAN Traffic

SPAN Configuration Guidelines and Restrictions

Configuring SPAN

Configuring SPAN Sources

Configuring SPAN Destinations

Monitoring Source VLANs on a Trunk Interface

Configuration Scenario

Verifying a SPAN Configuration

CPU Port Sniffing

Encapsulation Configuration

Ingress Packets

Packet Type Filtering

Configuration Example

Configuring SPAN

This chapter describes how to configure the Switched Port Analyzer (SPAN) feature on the Catalyst 4500 series switches. SPAN selects network traffic for analysis by a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe.

This chapter consists of the following sections:

•Overview of SPAN

•SPAN Configuration Guidelines and Restrictions

•Configuring SPAN

•CPU Port Sniffing

•Encapsulation Configuration

•Ingress Packets

•Packet Type Filtering

•Configuration Example

Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and the publications at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/index.htm

Overview of SPAN

SPAN mirrors traffic from one or more source interfaces on any VLAN, or from one or more VLANs to a destination interface for analysis. In Figure 32-1, all traffic on Ethernet interface 5 (the source interface) is mirrored to Ethernet interface 10. A network analyzer on Ethernet interface 10 receives all network traffic from Ethernet interface 5 without being physically attached to it.

For SPAN configuration, the source interfaces and the destination interface must be on the same switch.

SPAN does not affect the switching of network traffic on source interfaces; copies of the packets received or transmitted by the source interfaces are sent to the destination interface.

Figure 32-1 Example SPAN Configuration

The following sections describe how SPAN works:

•SPAN Session

•Destination Interface

•Source Interface

•Traffic Types

•VLAN-Based SPAN

•SPAN Traffic

SPAN Session

A SPAN session is an association of a destination interface with a set of source interfaces; you configure SPAN sessions using parameters that specify the type of network traffic to monitor. SPAN sessions allow you to monitor traffic on one or more interfaces, or one or more VLANs, and/or CPU (optionally with one or more queues), and send either ingress traffic, egress traffic, or both to a destination interface.

You can configure up to six separate SPAN sessions (2 ingress, 4 egress) with separate or overlapping sets of SPAN source interfaces or VLANs. A bi-directional SPAN session counts as both 1 ingress and 1 egress session. Both switched and routed interfaces can be configured as SPAN sources.

SPAN sessions do not interfere with the normal operation of the switch. When enabled, a SPAN session might become active or inactive based on various events or actions; a syslog message indicates this. The show monitor session command displays the administrative status of a SPAN session.

A SPAN session will remain inactive after system boot-up until the destination interface is operational.

Destination Interface

A destination interface (also called a monitor interface) is a switched or routed interface where SPAN sends packets for analysis. Once an interface becomes an active destination interface, incoming traffic is disabled. For more information, see "Ingress Packets" section.

An interface specified as a destination interface in one SPAN session cannot be a destination interface for another SPAN session. An interface configured as a destination interface cannot be configured as a source interface. EtherChannel interfaces cannot be SPAN destination interfaces. For more information about the encapsulation of spanned packets, see "Encapsulation Configuration" section.

Source Interface

A source interface is an interface monitored for network traffic analysis. One or more source interfaces can be monitored in a single SPAN session with user-specified traffic types (ingress, egress, or both) applicable for all the source interfaces.

You can configure source interfaces for any VLAN. You can configure VLANs as source interfaces, which means that all interfaces in the specified VLANs are source interfaces for the SPAN session.

Trunk interfaces can be configured as source interfaces and can be mixed with nontrunk source interfaces. For more information, see "Encapsulation Configuration" section.

Traffic Types

Ingress SPAN (Rx) copies network traffic received by the source interfaces for analysis at the destination interface. Egress SPAN (Tx) copies network traffic transmitted from the source interfaces. Specifying the configuration option "both" copies network traffic received and transmitted by the source interfaces to the destination interface.

VLAN-Based SPAN

VLAN-based SPAN analyzes the network traffic in one or more VLANs. You can configure VLAN based-SPAN as ingress SPAN, egress SPAN, or both. All of the interfaces in the source VLANs become source interfaces for the VLAN-based SPAN session.

Use the following guidelines for VLAN-based SPAN sessions:

•Trunk interfaces are included as source interfaces for VLAN-based SPAN sessions.

•For VLAN-based SPAN sessions with both ingress and egress SPAN configured, two packets are forwarded by the SPAN destination interface if the packets get switched on the same VLAN.

•When a VLAN is cleared, it is removed from the source list for VLAN-based SPAN sessions.

•Inactive and internal VLANs are not allowed for VLAN-based SPAN configuration.

•If a VLAN is being ingress monitored and the switch routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored—it is not seen on the SPAN destination interface. Additionally, traffic that gets routed from an egress-monitored VLAN to some other VLAN does not get monitored. VLAN-based SPAN only monitors traffic that leaves or enters the switch, not traffic that gets routed between VLANs.

SPAN Traffic

All network traffic, including multicast and bridge protocol data unit (BPDU) packets, can be monitored using SPAN.

In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination interface. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination interface d1. If a packet enters the switch through a1 and gets switched to a2, both incoming and outgoing packets are sent to destination interface d1; both packets would be the same (unless a Layer-3 rewrite had occurred, in which case the packets would be different).

SPAN Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring SPAN:

•Use a network analyzer to monitor interfaces.

•You cannot mix source VLANs and filter VLANs within a SPAN session. You can have source VLANs or filter VLANs, but not both at the same time.

•EtherChannel interfaces can be SPAN source interfaces; they cannot be SPAN destination interfaces.

•When you specify source interfaces and do not specify a traffic type (Tx, Rx, or both), "both" is used by default.

•If you specify multiple SPAN source interfaces, the interfaces can belong to different VLANs.

•Enter the no monitor session number command with no other parameters to clear the SPAN session number.

•The no monitor command clears all SPAN sessions.

•SPAN destinations never participate in any spanning tree instance. SPAN includes BPDUs in the monitored traffic, so any BPDUs seen on the SPAN destination are from the SPAN source.

Configuring SPAN

The following sections describe how to configure SPAN:

•Configuring SPAN Sources

•Configuring SPAN Destinations

•Monitoring Source VLANs on a Trunk Interface

•Configuration Scenario

•Verifying a SPAN Configuration

Note Entering SPAN configuration commands does not clear previously configured SPAN parameters. You must enter the no monitor session command to clear configured SPAN parameters.

Configuring SPAN Sources

To configure the source for a SPAN session, perform this task:
Command

Purpose
Switch(config)# [no] monitor session 
{session_number} {source {interface 
<interface_list> | {vlan vlan_IDs | cpu  
[queue queue_ids ] } [rx | tx | both]
Specifies the SPAN session number (1 through 6), the source interfaces (FastEthernet or GigabitEthernet), VLANs (1 through 4094), whether or not traffic received or sent from the CPU is copied to the session destination, and the traffic direction to be monitored.

Use the no keyword to restore the defaults.
This example shows how to configure SPAN session 1 to monitor bidirectional traffic from source interface Fast Ethernet 5/1:
Switch(config)# monitor session 1 source interface fastethernet 5/1
This example shows how to configure sources with differing directions within a SPAN session:
Switch(config)# monitor session 1 source interface fa2/3 rx
Switch(config)# monitor session 1 source interface fa2/2 tx
Switch(config)# 
Configuring SPAN Destinations

To configure the destination for a SPAN session, perform this task:
Command

Purpose
Switch(config)# [no] monitor session 
<session_number> destination interface 
<interface> [encapsulation {isl | dot1q}] 
[ingress [vlan vlan_ID]]
Specifies the SPAN session number (1 through 6) and the destination interfaces or VLANs.

Use the no keyword to restore the defaults.
This example shows how to configure interface Fast Ethernet 5/48 as the destination for SPAN session 1:
Switch(config)# monitor session 1 destination interface fastethernet 5/48
Monitoring Source VLANs on a Trunk Interface

To monitor specific VLANs when the SPAN source is a trunk interface, perform this task:
Command

Purpose
Switch(config)# [no] monitor session 
{session_number} filter { vlan vlan_id  
[, | - ] } | { packet-type { good |  
bad } } | { address-type { unicast | 
multicast | broadcast } [ rx | tx |  
both ]}
Monitors specific VLANs when the SPAN source is a trunk interface. The filter keyword restricts monitoring to traffic that is on the specified VLANs; it is typically used when monitoring a trunk interface.

Monitoring is established through all the ports in the specified VLANs

Use the no keyword to restore the defaults.
This example shows how to monitor VLANs 1 through 5 and VLAN 9 when the SPAN source is a trunk interface:
Switch(config)# monitor session 2 filter vlan 1 - 5 , 9
Configuration Scenario

This example shows how to use the commands described in this chapter to completely configure and unconfigure a span session. Assume that you want to monitor bidirectional traffic from source interface Fast Ethernet 4/10, which is configured as a trunk interface carrying VLANs 1 through 4094. Moreover, you want to monitor only traffic in VLAN 57 on that trunk. Using Fast Ethernet 4/15 as your destination interface, you would enter the following commands:
Switch(config)# monitor session 1 source interface fastethernet 4/10
Switch(config)# monitor session 1 filter vlan 57
Switch(config)# monitor session 1 destination interface fastethernet 4/15
You are now monitoring traffic from interface Fast Ethernet 4/10 that is on VLAN 57 out of interface FastEthernet 4/15. To disable the span session enter the following command:
Switch(config)# no monitor session 1
Verifying a SPAN Configuration

This example shows how to verify the configuration of SPAN session 2:
Switch# show monitor session 2
Session 2
---------
Source Ports:
    RX Only:       Fa5/12
    TX Only:       None
    Both:          None
Source VLANs:
    RX Only:       None
    TX Only:       None
    Both:          None
Destination Ports: Fa5/45
Filter VLANs:      1-5,9 
Switch#
CPU Port Sniffing

When configuring a SPAN session, you can specify the CPU (or a subset of CPU queues) as a SPAN source. Queues may be specified either by number or by name. When such a source is specified, traffic going to the CPU through one of the specified queues is mirrored and sent out of the SPAN destination port in the session. This traffic includes both control packets and regular data packets that are sent to or from the CPU (due to software forwarding).

You can mix the CPU source with either regular port sources or VLAN sources.

To configure CPU source sniffing, perform this task:
Command

Purpose
Switch(config)# [no] monitor session 
{session_number} {source {interface 
<interface_list> | {vlan <vlan_IDs> | cpu  
[queue <queue_ids> ] } [rx | tx | both]
Specifies that the CPU will cause traffic received by or sent from the CPU to be copied to the destination of the session. The queue identifier optionally allows sniffing-only traffic (received) on the specified CPU queue(s).

Queues may be identified either by number or by name. Queue names may subsume multiple numbered queues for convenience.

Use the no keyword to restore the defaults.
This example shows how to configure a CPU source to sniff all packets received by the CPU:
Switch(config)# monitor session 1 source cpu rx
This example shows how to use queue names and queue number ranges for the CPU as a SPAN source:
Switch(config)# monitor session 2 source cpu queue control-packet rx
Switch(config)# monitor session 3 source cpu queue 21 -23 rx
Encapsulation Configuration

When configuring a SPAN destination port, you can explicitly specify the encapsulation type used by the port. Packets sent out the port are tagged in accordance with the specified mode. (The encapsulation mode also controls how tagged packets are handled when the ingress packet option is enabled.) The Catalyst 4500 series switch supervisor engines support ISL encapsulation and 802.1q encapsulation, as well as untagged packets. The "replicate" encapsulation type (in which packets are transmitted from the destination port using whatever encapsulation applied to the original packet) is not supported. If no encapsulation mode is specified, the port default is untagged.

Ingress Packets

When ingress is enabled, the SPAN destination port accepts incoming packets (potentially tagged depending on the specified encapsulation mode) and switches them normally. When configuring a SPAN destination port, you can specify whether or not the ingress feature is enabled and what VLAN to use to switch untagged ingress packets. (Specifying an ingress VLAN is not required when ISL encapsulation is configured, as all ISL encapsulated packets have VLAN tags.) Although the port is STP forwarding, it does not participate in the STP, so use caution when configuring this feature lest a spanning-tree loop be introduced in the network. When both ingress and a trunk encapsulation are specified on a SPAN destination port, the port will go forwarding in all active VLANs. Configuring a non-existent VLAN as an ingress VLAN is not allowed.

Host learning is disabled on SPAN destination ports with ingress enabled, and the port is removed from VLAN floodsets, so regular traffic will not be switched out of the destination port. If it is necessary to send traffic to a host connected to the SPAN destination port with ingress enabled, a static host entry may be configured.

To configure ingress packets and encapsulation, perform this task:
Command

Purpose
Switch(config)# [no] monitor session 
<session_number> destination interface 
<interface> [encapsulation {isl | dot1q}] 
[ingress [vlan vlan_ID]]
Specifies the configuration of the ingress packet and the encapsulation type of the destination port.

Use the no keyword to restore the defaults.
This example shows how to configure a destination port with 802.1q encapsulation and ingress packets using native VLAN 7:
Switch(config)# monitor session 1 destination interface fastethernet 5/48 
encapsulation dot1q ingress vlan 7
With this configuration, traffic from SPAN sources associated with session 1 would be copied out of interface Fast Ethernet 5/48, with 802.1q encapsulation. Incoming traffic would be accepted and switched, with untagged packets being classified into VLAN 7.

Packet Type Filtering

When configuring a SPAN session, you can specify packet filter parameters similar to VLAN filters. When specified, the packet filters indicate types of packets that may be sniffed. If no packet filters are specified, packets of all types may be sniffed. Different types of packet filters may be specified for ingress and egress traffic.

There are two categories of packet filtering: packet-based (good, error) or address-based (unicast/multicast/broadcast). Packet-based filters can only be applied in the ingress direction. Packets are classified as broadcast, multicast, or unicast by the hardware based on the destination address.

Note When filters of both types are configured, only packets that pass both filters are spanned. For example, if you set both "error" and "multicast," only multicast packets with errors will be spanned.

To configure packet type filtering, perform this task:
Command

Purpose
Switch(config)# [no] monitor session 
{session_number} filter { vlan vlan_id  
[, | - ] } | { packet-type { good | bad 
} } | { address-type { unicast | 
multicast | broadcast } [ rx | tx |  
both ]}
Specifes filter sniffing of the specified packet types in the specified directions.

You can specify both Rx and Tx type filters, as well as specify multiple type filters at the same time (such as good and unicast to only sniff non-error unicast frames). As with VLAN filters, if no type or filter is specified, then the session will sniff all packet types.

Use the no keyword to restore the defaults.
This example shows how to configure a session to accept only unicast packets in the ingress direction:
Switch(config)# monitor session 1 filter address-type unicast rx
Configuration Example

The following is an example of SPAN configuration using some of the SPAN enhancements.

In the example below, you configure a session to sniff unicast traffic arriving on interface Gi1/1. The traffic is mirrored out of interface Gi1/2 with ISL encapsulation. Ingress traffic is permitted.
Switch(config)# monitor session 1 source interface gi1/1 rx
Switch(config)# monitor session 1 destination interface gi1/2 encapsulation isl ingress
Switch(config)# monitor session 1 filter address-type unicast rx
Switch# show monitor
Session 1
---------
Type              :Local Session
Source Ports      :
    RX Only       :Gi1/1
Destination Ports :Gi1/2
    Encapsulation :ISL
          Ingress :Enabled
Filter Addr Type  :
    RX Only       :Unicast