Configuring SPAN

This chapter describes how to configure Switched Port Analyzer (SPAN) on the Cisco 7600 series Internet Routers.

Understanding How SPAN Works
SPAN Configuration Guidelines and Restrictions
Configuring SPAN

Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco 7600 Series Internet Router IOS Command Reference publication.

Understanding How SPAN Works

SPAN Overview

SPAN selects network traffic for analysis by a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe. SPAN mirrors traffic from one or more source ports on any VLAN or from one or more VLANs to a destination port for analysis (see Figure 28-1). In Figure 28-1, all traffic on Ethernet port 5 (the source port) is mirrored to Ethernet port 10. A network analyzer on Ethernet port 10 receives all network traffic from Ethernet port 5 without being physically attached to it.

For SPAN configuration, the source ports and the destination port must be on the same Cisco 7600 series Internet Router.

SPAN does not affect the switching of network traffic on source ports; a copy of the packets received or transmitted by the source ports are sent to the destination port.

SPAN Session

A SPAN session is an association of a destination port with a set of source ports; you configure SPAN sessions using parameters that specify the type of network traffic to monitor. SPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send either ingress traffic, egress traffic, or both to one or more destination ports. You can configure two separate SPAN sessions with separate or overlapping sets of SPAN source ports or VLANs. Both switched and routed ports can be configured as SPAN sources.

SPAN sessions do not interfere with the normal operation of the Internet Router. You can enable or disable SPAN sessions with command-line interface (CLI) or SNMP commands.

Destination Interface

A destination port (also called a monitor interface) is a switched or routed port where SPAN sends packets for analysis. You can have up to 64 SPAN destination ports. Once a port becomes an active destination port, incoming traffic is disabled. You cannot configure a SPAN destination port to receive ingress traffic. The port does not forward any traffic except that required for the SPAN session.

A port specified as a destination port in one SPAN session, cannot be a destination port for a second SPAN session. A port configured as a destination port cannot be configured as a source port. EtherChannel interfaces cannot be SPAN destination interfaces.

With Release 12.1(11b)EX, you can configure trunk ports as destination ports, which allows destination trunk ports to transmit encapsulated traffic.

Source Interface

A source port is an port monitored for network traffic analysis. One or more source ports can be monitored in a single SPAN session with user-specified traffic types (ingress, egress, or both) applicable for all the source ports. You can have only one egress port and up to 64 ingress ports.

You can configure source ports in any VLAN. You can configure VLANs as sources, which means that all ports in the specified VLANs are source ports for the SPAN session.

Trunk ports can be configured as source ports and mixed with nontrunk source ports.

Traffic Types

Ingress SPAN (Rx) copies network traffic received by the source ports for analysis at the destination port. Egress SPAN (Tx) copies network traffic transmitted from the source ports. Specifying the configuration option "both" copies network traffic received and transmitted by the source ports to the destination port.

VLAN-Based SPAN

VLAN-based SPAN is analysis of the network traffic in one or more VLANs. You can configure VLAN based-SPAN as ingress SPAN, egress SPAN, or both. All the ports in the source VLANs become source ports for the VLAN-based SPAN session.

Trunk ports are included as source ports for VLAN-based SPAN sessions. By default, all VLANs are monitored on a trunk port.
For VLAN-based SPAN sessions with both ingress and egress SPAN configured, two packets are forwarded by the SPAN destination port if the packets get switched on the same VLAN.
When a VLAN is cleared, it is removed from the source list for VLAN-based SPAN sessions.
If a VLAN is being ingress monitored and the Multilayer Switch Feature Card (MSFC) routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored—it is not seen on the SPAN destination port. Additionally, traffic that gets routed from an egress-monitored VLAN to some other VLAN does not get monitored. VLAN-based SPAN only monitors traffic that leaves or enters the Internet Router, not traffic that gets routed between VLANs.

SPAN Traffic

All network traffic, including multicast and bridge protocol data unit (BPDU) packets, can be monitored using SPAN. Multicast packet monitoring is enabled by default.

In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination port. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination port d1. If a packet enters the Internet Router through a1 and gets switched to a2, both incoming and outgoing packets are sent to destination port d1; both packets would be the same (unless a Layer-3 rewrite had occurred, in which case the packets would be different).

SPAN Configuration Guidelines and Restrictions

Use a network analyzer to monitor ports.
You can configure (and store in NVRAM) a maximum of two SPAN sessions. Each session can contain source interfaces in both ingress and egress directions.
You can configure both Layer 2 LAN ports (ports configured with the switchport command) and Layer 3 LAN ports (ports not configured with the switchport command) as SPAN sources or destinations.
With Release 12.1(11b)EX and later, you can configure SPAN designating ports as trunks to capture tagged traffic.
You cannot mix individual source ports and source VLANs within a single SPAN session.
You cannot mix source VLANs and filter VLANs within a SPAN session. You can have source VLANs or filter VLANs, but not both at the same time.
For SPAN source ports you can have only one egress port and up to 64 ingress ports.
You can have up to 64 SPAN destination ports.
EtherChannel interfaces can be SPAN sources; they cannot be SPAN destinations.
When enabled, SPAN uses any previously entered configuration.
When you specify source ports and do not specify a traffic type (Tx, Rx, or both), "both" is used by default.
If you specify multiple SPAN source ports, the ports can belong to different VLANs.
Enter the no monitor session number command with no other parameters to clear the SPAN session number.
The no monitor command clears all SPAN sessions.
You cannot configure a SPAN destination ports to receive ingress traffic.
SPAN destinations never participate in any spanning tree instance. SPAN includes BPDUs in the monitored traffic, so any BPDUs seen on the SPAN destination are from the SPAN source.
All packets sent through the switch to a trunk port configured as an egress SPAN source are mirrored to the destination SPAN port, including packets that do not exit the switch through the trunk port because they are in VLANs that are in the STP blocking state.

Configuring SPAN

Configuring SPAN Sources
Monitoring Source VLANs on a Source Trunk Interface
Configuring SPAN Destination Ports
Verifying the SPAN Configuration

Note Entering SPAN configuration commands does not clear previously configured SPAN parameters. You must enter the no monitor session command to clear configured SPAN parameters.

Note With Release 12.1(11b)E and later, when you are in configuration mode you can enter EXEC mode-level commands by entering the do keyword before the EXEC mode-level command.

Configuring SPAN Sources

Command	Purpose
Router(config)# monitor session session_number {source {interface type slot/port} \| {vlan vlan_ID}} [, \| - \| rx \| tx \| both]	Configures the SPAN session number (1 or 2), the source ports or VLANs, and the traffic direction to be monitored.
Router(config)# no monitor session session_number [{source {interface type slot/port} \| {vlan vlan_ID}} [, \| - \| rx \| tx \| both]]	Clears the SPAN source configuration.

This example shows how to configure SPAN session 1 to monitor bidirectional traffic from source Fast Ethernet port 5/1:

Monitoring Source VLANs on a Source Trunk Interface

To monitor specific VLANs when the SPAN source is a trunk port, perform this task:

Command	Purpose
Router(config)# monitor session session_number filter {vlan_ID} [, \| - ]	Monitors specific VLANs when the SPAN source is a trunk port.
Router(config)# no monitor session session_number filter {vlan_ID} [, \| - ]	Clears SPAN trunk source configuration.

This example shows how to monitor VLANs 1 through 5 and VLAN 9 when the SPAN source is a trunk port:

Configuring SPAN Destination Ports

Configuring a SPAN Destination Port as an Unconditional Trunk

To tag the SPAN traffic with Release 12.1(11b)EX and later, configure the SPAN destination port as a trunk.

	Command	Purpose
Step 1	Router(config)# interface type¹ slot/port	Selects the LAN port to configure.
Step 2	Router(config-if)# switchport	Configures the LAN port for Layer 2 switching (required only if the LAN port is not already configured for Layer 2 switching).
Step 3	Router(config-if)# switchport trunk encapsulation {isl \| dot1q}	Configures the encapsulation, which configures the Layer 2 switching port as either an ISL or 802.1Q trunk.
Step 4	Router(config-if)# switchport mode trunk	Configures the port to trunk unconditionally.
Step 5	Router(config-if)# switchport nonegotiate	Configures the trunk not to use DTP.

1type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet

This example shows how to configure a port as an unconditional IEEE 802.1q trunk:

Configuring a Port as a SPAN Destination

Command	Purpose
Router(config)# monitor session session_number {destination {interface type slot/port} [, \| - ] \| {vlan vlan_ID}}	Configures the SPAN session number (1 or 2) and the destination ports or VLANs.
Router(config)# no monitor session session_number [{destination {interface type slot/port} \| {vlan vlan_ID}}]	Clears the SPAN destination configuration.

This example shows how to configure Fast Ethernet port 5/48 as the destination for SPAN session 1:

Verifying the SPAN Configuration

Table of Contents