Prepare to Configure Switched Port Analyzer (SPAN) on a Catalyst Switch

Introduction      Catalyst Switches that Support SPAN and RSPAN      SPAN and RSPAN Terminology and Concepts           SPAN Terminology           SPAN Session           SPAN Traffic Types           Receive (Rx) SPAN           Transmit (Tx) SPAN           Characteristics of Source Port           VLAN Filtering           Characteristics of Source VLAN           Characteristics of Destination Port           Characteristics of Reflector Port           RSPAN VLAN      SPAN and RSPAN Example           SPAN (Local SPAN)           Remote SPAN      SPAN on the Catalyst 2900XL/3500XL Switches           Features that are Available and Restrictions      SPAN on the Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750 and 3750-E Series Switches      RSPAN Configuration Guidelines      SPAN and RSPAN Interaction with other Features      SPAN and RSPAN Session Limits      Default SPAN and RSPAN Configuration      Next Step      Related Information

Download PDF   Prepare to Configure Switched Port Analyzer (SPAN) on a Catalyst Switch

Introduction

This document provides general information to understand Switched Port Analyzer (SPAN) feature, its supported products, SPAN concepts and terminology along with its traffic types and guidelines that assists you to prepare, to configure Switched Port Analyzer on a Catalyst Switch.

If you are already aware of the the SPAN features, its concepts and terminology and if you need to configure SPAN on a Catalyst switch refer to the document Configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on a Cisco Catalyst Switch that runs Cisco IOS Software.

Back to Top

Catalyst Switches that Support SPAN and RSPAN

Both SPAN and RSPAN are supported on 2950, 2955, 2948G-L2, 2948G-L3, 2948G-GE-TX, 2960, 2970, 2980G-A, 3550, 3560, 3560-E, 3750, 3750-E, 4500 model Catalyst switches.

The Catalyst switches CE 500, 2940, 2900XL and 3500XL supports only SPAN.

Back to Top

SPAN and RSPAN Terminology and Concepts

The Switched Port Analyzer (SPAN) feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer sniffer or other Remote Monitoring (RMON) probe such as a SwitchProbe device. SPAN mirrors neither received or transmitted or both, on one or more source ports or source VLANs, to a destination port for analysis.

This section describes terminology and concepts associated with SPAN and RSPAN configuration.

SPAN Terminology

Complete these steps:

• Ingress traffic—Traffic that enters the switch.

• Egress traffic—Traffic that leaves the switch.

• Source (SPAN) port —A port that is monitored with the use of the SPAN feature.

• Source (SPAN) VLAN —A VLAN whose traffic is monitored with the use of the SPAN feature.

• Destination (SPAN) port —A port that monitors source ports, usually where a network analyzer is connected.

• Reflector Port —A port that copies packets onto an RSPAN VLAN.

• Monitor port—A monitor port is also a destination SPAN port in Catalyst 2900XL/3500XL/2950 terminology.

  

• Local SPAN—The SPAN feature is local when the monitored ports are all located on the same switch as the destination port.

• Remote SPAN (RSPAN)—Some source ports are not located on the same switch as the destination port. RSPAN is an advanced feature that requires a special VLAN to carry the traffic that is monitored by SPAN between switches.

• Port-based SPAN (PSPAN)—The user specifies one or several source ports on the switch and one destination port.

• VLAN-based SPAN (VSPAN)—On a particular switch, the user can choose to monitor all the ports that belong to a particular VLAN in a single command.

• Administrative source—A list of source ports or VLANs that have been configured to be monitored.

• Operational source—A list of ports that are effectively monitored. This list of ports can be different from the administrative source. For example, a port that is in shutdown mode can appear in the administrative source, but is not effectively monitored.

SPAN Session

A local SPAN session is an association of a destination port with source ports and source VLANs. An RSPAN session is an association of source ports and source VLANs across your network with an RSPAN VLAN. The destination source is the RSPAN VLAN.

You configure SPAN sessions with the parameters that specify the source of network traffic to monitor. Traffic monitoring in a SPAN session has these restrictions on Catalyst 3550 switch:

• You can monitor incoming traffic on a series or range of ports and VLANs.

• You can monitor outgoing traffic on a single port but, you could not monitor outgoing traffic on multiple ports.

• You could not monitor outgoing traffic on VLANs.

You can configure two separate SPAN or RSPAN sessions with separate or overlapping sets of SPAN source ports and VLANs. Both switched and routed ports can be configured as SPAN sources and destinations.

SPAN sessions do not interfere with the normal operation of the switch. However, an oversubscribed SPAN destination, for example, a 10-Mbps port monitoring a 100-Mbps port, results in dropped or lost packets.

You can configure SPAN sessions on disabled ports. However, a SPAN session does not become active unless you enable the destination port and at least one source port or VLAN for that session. The show monitor session session_number privileged EXEC command displays the operational status of a SPAN session.

A SPAN session remains inactive after system power-on until the destination port is operational.

SPAN Traffic Types

SPAN sessions include these traffic types:

Receive (Rx) SPAN

The goal of receive (or ingress) SPAN is to monitor all the packets received by the source interface or VLAN before any modification or processing is performed by the switch. A copy of each packet received by the source is sent to the destination port for that SPAN session. You can monitor a series or range of ingress ports or VLANs in a SPAN session.

On tagged packets (Inter-Switch Link [ISL] or IEEE 802.1Q), the tagging is removed at the ingress port. At the destination port, if tagging is enabled, the packet appears with the ISL or 802.1Q headers. If no tagging is specified, packets appear in the native format.

Packets that are modified because of routing are copied without modification for Rx SPAN; that is, the original packet is copied. Packets that are modified because of quality of service (QoS)—for example, modified Differentiated Services Code Point (DSCP)—are copied with modification for Rx SPAN.

Some features that can cause a packet to be dropped during receive processing have no effect on SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), IP standard and extended output ACLs for unicast and ingress QoS policing.VLAN maps, ingress QoS policing, and policy-based routing. Switch congestion that causes packets to be dropped also has no effect on SPAN.

Transmit (Tx) SPAN

The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch. A copy of each packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified.

For Catalyst 3550 switch only one egress source port is allowed per SPAN session and also VLAN monitoring is not supported in the egress direction.

Packets that are modified because of routing—for example, with a time-to-live (TTL) or MAC-address modification—are duplicated at the destination port. Packets which are modified because of QoS, it is likely that the modified packet do not have the same DSCP (IP packet) or CoS (non-IP packet) as the SPAN source.

Some features that can cause a packet to be dropped while transmit processing also affects the duplicated copy for SPAN. These features include VLAN maps, IP standard and extended output ACLs on multicast packets, and egress QoS policing. In the case of output ACLs, if the SPAN source drops the packet, the SPAN destination also drops the packet. In the case of egress QoS policing, if the SPAN source drops the packet, the SPAN destination does not drop it. If the source port is oversubscribed, the destination ports could have different dropping behavior.

Characteristics of Source Port

A source port, also called a monitored port, is a switched or routed port that you monitor for network traffic analysis. In a single local SPAN session or RSPAN source session, you can monitor source port traffic, such as received (Rx), transmitted (Tx), or bidirectional (both). The switch supports any number of source ports (up to the maximum number of available ports on the switch) and any number of source VLANs.

A source port has these characteristics:

• It can be any port type, such as EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth.

• It can be monitored in multiple SPAN sessions.

• It must not be a destination port.

• Each source port can be configured with a direction (ingress, egress, or both) to monitor. For EtherChannel sources, the monitored direction applies to all physical ports in the group.

• Source ports can be in the same or different VLANs.

• For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.

VLAN Filtering

When you monitor a trunk port as a source port, all VLANs active on the trunk are monitored by default. You can use VLAN filtering in order to limit SPAN traffic monitoring on trunk source ports to specific VLANs.

• VLAN filtering applies only to trunk ports or to voice VLAN ports.

• VLAN filtering applies only to port-based sessions and is not allowed in sessions with VLAN sources.

• When a VLAN filter list is specified, only those VLANs in the list are monitored on trunk ports or on voice VLAN access ports.

• SPAN traffic that comes from other port types is not affected by VLAN filtering, which means that all VLANs are allowed on other ports.

• VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the switching of normal traffic.

• You could not mix source VLANs and filter VLANs within a session. You can have source VLANs or filter VLANs, but not both at the same time.

Characteristics of Source VLAN

VSPAN is the monitoring of the network traffic in one or more VLANs. The SPAN or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.

VSPAN has these characteristics:

• All active ports in the source VLAN are included as source ports and can be monitored in either or both directions.

• On a given port, only traffic on the monitored VLAN is sent to the destination port.

• If a destination port belongs to a source VLAN, it is excluded from the source list and is not monitored.

• If ports are added to or removed from the source VLANs, the traffic on the source VLAN received by those ports is added to or removed from the sources that are monitored.

• You could not use filter VLANs in the same session with VLAN sources.

• You can monitor only Ethernet VLANs.

Characteristics of Destination Port

Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports and VLANs.

A destination port has these characteristics:

• A destination port must reside on the same switch as the source port (for a local SPAN session).

• A destination port can be any Ethernet physical port.

• A destination port can participate in only one SPAN session at a time. A destination port in one SPAN session could not be a destination port for a second SPAN session.

• A destination port could not be a source port or an EtherChannel Group

• A destination port can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.

• The port does not transmit any traffic except that traffic required for the SPAN session unless learning is enabled. If learning is enabled, the port also transmits traffic directed to hosts that have been learned on the destination port.

• The state of the destination port is up/down by design. The interface shows the port in this state in order to make it evident that the port is currently not usable as a production port.

• If ingress traffic forwarding is enabled for a network security device. The destination port forwards traffic at Layer 2.

• A destination port does not participate in spanning tree while the SPAN session is active.

• When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).

• A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored.

• A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.

Characteristics of Reflector Port

The reflector port is the mechanism that copies packets onto an RSPAN VLAN. The reflector port forwards only the traffic from the RSPAN source session with which it is affiliated. Any device connected to a port set as a reflector port loses connectivity until the RSPAN source session is disabled.

The reflector port has these characteristics:

• It is a port set to loopback.

• It could not be an EtherChannel group, it does not trunk, and it is not possible to do a protocol filtering.

• It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group is specified as a SPAN source. The port is removed from the group while it is configured as a reflector port.

• A port used as a reflector port could not be a SPAN source or destination port, nor can a port be a reflector port for more than one session at a time.

• It is invisible to all VLANs.

• The native VLAN for looped-back traffic on a reflector port is the RSPAN VLAN.

• The reflector port loops back untagged traffic to the switch. The traffic is then placed on the RSPAN VLAN and flooded to any trunk ports that carry the RSPAN VLAN.

• Spanning tree is automatically disabled on a reflector port.

• A reflector port receives copies of sent and received traffic for all monitored source ports.

RSPAN VLAN

The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. It has these special characteristics:

• All traffic in the RSPAN VLAN is always flooded.

• No MAC address learning occurs on the RSPAN VLAN.

• RSPAN VLAN traffic only flows on trunk ports.

• RSPAN VLANs must be configured in VLAN configuration mode with the remote-span VLAN configuration mode command.

• STP can run on RSPAN VLAN trunks but not on SPAN destination ports.

• An RSPAN VLAN could not be a private-VLAN primary or secondary VLAN.

For VLANs 1 to 1005 that are visible to VLAN Trunking Protocol (VTP), the VLAN ID and its associated RSPAN characteristic are propagated by VTP. If you assign an RSPAN VLAN ID in the extended VLAN range (1006 to 4094), you must manually configure all intermediate switches.

It is normal to have multiple RSPAN VLANs in a network at the same time with each RSPAN VLAN defining a network-wide RSPAN session. That is, multiple RSPAN source sessions anywhere in the network can contribute packets to the RSPAN session. It is also possible to have multiple RSPAN destination sessions throughout the network, monitoring the same RSPAN VLAN and presenting traffic to the user. The RSPAN VLAN ID separates the sessions.

Back to Top

SPAN and RSPAN Example

This section explains you both SPAN and RSPAN with a diagramatic example.

In a SPAN session, you can monitor a single port for both received and sent packets.

SPAN (Local SPAN)

The Switched Port Analyzer (SPAN) feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer sniffer or other Remote Monitoring (RMON) probe such as a SwitchProbe device. SPAN mirrors neither received or transmitted (or both) traffic on a source port and received traffic on one or more source ports or source VLANs, to a destination port for analysis.

For example, in Figure-1, all traffic on port 5 (the source port) is mirrored to port 10 (the destination port). A network analyzer on port 10 receives all network traffic from port 5 though is not physically attached to port 5.

Only traffic, that enters or leaves source ports or traffic that enters source VLANs can be monitored by the use of SPAN; traffic that gets routed to ingress source ports or source VLANs could not be monitored. For example, if incoming traffic is monitored, traffic that gets routed from another VLAN to the source VLAN is not monitored. However, traffic that is received on the source VLAN and routed to another VLAN is monitored.

Remote SPAN

RSPAN extends SPAN by enabling remote monitoring of multiple switches across your network. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. The SPAN traffic from the sources is copied onto the RSPAN VLAN through a reflector port and then forwarded over trunk ports that are carrying the RSPAN VLAN to any RSPAN destination sessions monitoring the RSPAN VLAN, as shown in Figure-2.

SPAN and RSPAN do not affect the switching of network traffic on source ports or source VLANs; a copy of the packets received or sent by the source interfaces are sent to the destination interface.

You can use the SPAN or RSPAN destination port, to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) Sensor Appliance to a destination port, the IDS device can send TCP Reset packets to close down the TCP session of a suspected attacker.

Back to Top

SPAN on the Catalyst 2900XL/3500XL Switches

These are the features and the restrictions that are available:

Features that are Available and Restrictions

The port monitoring feature is not very extensive on the Catalyst 2900XL/3500XL. Therefore, this feature is relatively easy to understand.

You can create as many local PSPAN sessions as necessary. For example, you can create PSPAN sessions on the configuration port that you have chosen to be a destination SPAN port. In this case, issue the port monitor interface command in order to list the source ports that you want to monitor. A monitor port is a destination SPAN port in Catalyst 2900XL/3500XL terminology.

• The main restriction is that all the ports that relate to a particular session (whether source or destination) must belong to the same VLAN.

• If you configure the VLAN interface with an IP address, then the port monitor command monitors traffic destined to that IP address only. It also monitors the broadcast traffic that is received by the VLAN interface. However, it does not capture the traffic that flows in the actual VLAN itself. If you do not specify any interface in the port monitor command, all other ports that belong to the same VLAN as the interface are monitored.

  Note: ATM ports are the only ports that are not monitor ports. However, you can monitor ATM ports. The restrictions in this list apply for ports that have the port-monitor capability.

• A monitor port could not be in a Fast EtherChannel or Gigabit EtherChannel port group.

• A monitor port could not be enabled for port security.

• A monitor port could not be a multi-VLAN port.

• A monitor port must be a member of the same VLAN as the port that is monitored. VLAN membership changes are not allowed on monitor ports and ports that are monitored.

• A monitor port could not be a dynamic-access port or a trunk port. However, a static-access port can monitor a VLAN on a trunk, a multi-VLAN, or a dynamic-access port. The VLAN that is monitored is the one that is associated with the static-access port.

• Port monitoring does not work if both the monitor port and the port that is monitored are protected ports.

Be careful that a port in the monitor state does not run the Spanning Tree Protocol (STP) while the port still belongs to the VLAN of the ports that it mirrors. The port monitor can be part of a loop if, for instance, you connect it to a hub or a bridge and loop to another part of the network. In this case, you can end up in a catastrophic bridging loop condition because STP no longer protects you.

Back to Top

SPAN on the Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750 and 3750-E Series Switches

These are guidelines for the configuration of the SPAN feature on the Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750, and 3750-E Series Switches:

• The Catalyst 2950 Switches can have only one SPAN session active at a time and can monitor only source ports. These switches could not monitor VLANs.

• The Catalyst 2950 and 3550 Switches can forward traffic on a destination SPAN port in Cisco IOS Software Release 12.1(13)EA1 and later.

• The Catalyst 3550, 3560, and 3750 Switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs.

• The Catalyst 2970, 3560, and 3750 Switches do not require the configuration of a reflector port when you configure an RSPAN session.

• The Catalyst 3750 Switches support session configuration with the use of source and destination ports that reside on any of the switch stack members.

• Only one destination port is allowed per SPAN session, and the same port could not be a destination port for multiple SPAN sessions. Therefore, it is not possible to have two SPAN sessions that use the same destination port.

Back to Top

RSPAN Configuration Guidelines

Follow these guidelines when configuring RSPAN:

• RSPAN sessions can coexist with SPAN sessions within the limits described in the "SPAN and RSPAN Session Limits" section.

• For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network.

• A port could not serve as an RSPAN source port or RSPAN destination port while designated as an RSPAN reflector port.

• When you configure a switch port as a reflector port, it is no longer a normal switch port; only looped-back traffic passes through the reflector port.

• RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.

• The RSPAN VLAN is configured only on trunk ports and not on access ports. To avoid unwanted traffic in RSPAN VLANs, make sure that the VLAN remote-span feature is supported in all the participating switches. Access ports on the RSPAN VLAN are silently disabled.

• RSPAN VLANs are included as sources for port-based RSPAN sessions when source trunk ports have active RSPAN VLANs. RSPAN VLANs can also be sources in SPAN sessions.

• You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:

  1. No access port is configured in the RSPAN VLAN.

  2. The same RSPAN VLAN is used for an RSPAN session in all the switches.

  3. All participating switches support RSPAN.

• The RSPAN VLAN could not be VLAN 1 (the default VLAN) or VLAN IDs 1002 through 1005 (reserved to Token Ring and FDDI VLANs).

• You must create an RSPAN VLAN before configuring an RSPAN source or destination session.

• If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN-IDs that are lower than 1005.

• Because RSPAN traffic is carried across a network on an RSPAN VLAN, the original VLAN association of the mirrored packets is lost. Therefore, RSPAN can only support forwarding of traffic from an IDS device onto a single user-specified VLAN.

Back to Top

SPAN and RSPAN Interaction with other Features

SPAN interacts with these features:

• Routing—SPAN does not monitor routed traffic. VSPAN only monitors traffic that enters or exits the switch, not traffic that is routed between VLANs. For example, if a VLAN is being Rx-monitored and the switch routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored and it is not received on the SPAN destination port.

• STP—A destination port does not participate in STP while its SPAN or RSPAN session is active. The destination port can participate in STP after the SPAN or RSPAN session is disabled. On a source port, SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN.

• CDP—A SPAN destination port does not participate in CDP while the SPAN session is active. After the SPAN session is disabled, the port again participates in CDP.

• VTP—You can use VTP to prune an RSPAN VLAN between switches.

• VLAN and trunking—You can modify VLAN membership or trunk settings for source or destination ports at any time. However, changes in VLAN membership or trunk settings for a destination port do not take effect until you remove the SPAN destination configuration. Changes in VLAN membership or trunk settings for a source port immediately take effect, and the respective SPAN sessions automatically adjust accordingly.

• EtherChannel—You can configure an EtherChannel group as a source port but, not as a SPAN destination port. When a group is configured as a SPAN source, the entire group is monitored.

If a physical port is added to a monitored EtherChannel group, the new port is added to the SPAN source port list. If a port is removed from a monitored EtherChannel group, it is automatically removed from the source port list.

A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in the EtherChannel. However, if a physical port that belongs to an EtherChannel group is configured as a SPAN destination, it is removed from the group. After the port is removed from the SPAN session, it rejoins the EtherChannel group. Ports removed from an EtherChannel group remain members of the group, but they are in the inactive or suspended state.

If a physical port that belongs to an EtherChannel group is a destination port and the EtherChannel group is a source, the port is removed from the EtherChannel group and from the list of monitored ports.

• Multicast traffic can be monitored. For egress and ingress port monitoring, only a single unedited packet is sent to the SPAN destination port. It does not reflect the number of times the multicast packet is sent.

• A private-VLAN port could not be a SPAN destination port.

• A secure port could not be a SPAN destination port.

  For SPAN sessions, you must not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port. For RSPAN source sessions, you must not enable port security on any ports with monitored egress.

• An IEEE 802.1x port can be a SPAN source port. You can enable IEEE 802.1x on a port that is a SPAN destination port. However, IEEE 802.1x is disabled until the port is removed as a SPAN destination.

  For SPAN sessions, do not enable IEEE 802.1x on ports with monitored egress when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable IEEE 802.1x on any ports that are egress monitored.

Back to Top

SPAN and RSPAN Session Limits

You can configure (and store in NVRAM) a maximum of two SPAN or RSPAN sessions on each switch. You can divide the two sessions between SPAN, RSPAN source, and RSPAN destination sessions. You can configure multiple source ports or source VLAN s for each session.

On the Catalyst 2900XL/3500XL Series Switches, the number of destination ports that are available on the switch is the only limit to the number of SPAN sessions.

On the Catalyst 2950 Series Switches, you can have only one assigned monitor port at any time. If you select another port as the monitor port, the previous monitor port is disabled, and the newly selected port becomes the monitor port.

On the Catalyst 4500/4000 Switches with CatOS 5.1 and later, you can have several concurrent SPAN sessions.

Back to Top

Default SPAN and RSPAN Configuration

The table shows the default SPAN and RSPAN configuration.

Back to Top

Next Step

You have completed this procedure and prepared to configure SPAN.

To configure your SPAN on a Catalyst switch, refer to Configure Switched Port Analyzer (SPAN) on a Catalyst Switch that runs Cisco IOS Software.

To make other changes to your switch, refer to the Switch Support Page.

To configure other devices in your network, refer to the Configuration Overview Page.

If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Back to Top

Related Information

• Create a HyperTerminal Connection
• Configure a Catalyst Switch with Cisco Network Assistant
• Configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on a Cisco Catalyst Switch that runs Cisco IOS Software