The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure local Switched Port Analyzer (SPAN) and remote SPAN (RSPAN).
MAC learning should be disabled using the mac-address-table limit [rspan vlan/bd] maximum num action limit command before configuring the RSPAN VLAN.
RSPAN VLAN must be dedicated and entire Layer 2 devices in the network must be aware of the VLAN.
RSPAN source and destinations switches separated by the VPLS pseudowire must be aware of the RSPAN VLAN/ brige domain (BD).
Pseudowire must be dedicated for RSPAN traffic.
The RSPAN destination session is not required when the destination switch is connected to source switch through Layer2 VPN. Thus, in the destination switch, the destination port must configured with the service instance with encapsulation as RSPAN VLAN/BD and bridge domain as RSPAN VLAN/BD and the MAC address learning should be disabled on RSPAN BD/VLAN.
SPAN monitoring of port-channel interfaces or port-channel member-links is not supported.
The SPAN port does not work for Rx traffic on the pseudowire for interfaces, when the SPAN port is in different ASIC of the RSP2 module.
RSP3 module
Destination port of SPAN session, cannot be used for other network data traffic flow.
Multiple destinations for same SPAN session is not supported on the Cisco ASR 900 Series RSP3 module.
Jumbo sized packets and bad CRC packets are not spanned.
Combined Egress local SPAN bandwidth supported is about 100GB depending on other traffic on the internal recycle interface.
Port-channel cannot be used as the SPAN destination.
If RSPAN BD is associated with a VPLS pseudowire, the traffic flows through the VPLS pseudowire.
If RSPAN source and destination are separated by pseudowire, then the RSPAN VLAN details must be updated to both RSPAN source switch and destination switch. The pseudowire should also be dedicated for RSPAN traffic.
BDI should not be created when that BD is part of RSPAN.
Monitor session should be created only after RSPAN BD is created.
Do not have RSPAN bridge domain as part of RSPAN source interface.
RSP3 module
RSPAN is not supported on the Cisco ASR 900 Series RSP3 module.
A local Switched Port Analyzer (SPAN) session is an association of a destination interface with a set of source interfaces. You configure local SPAN sessions using parameters that specify the type of network traffic to monitor. Local SPAN sessions allow you to monitor traffic on one or more interfaces and to send either ingress traffic, egress traffic, or both to one destination interface.
Local SPAN sessions do not interfere with the normal operation of the switch. You can enable or disable SPAN sessions with command-line interface (CLI) commands. When enabled, a local SPAN session might become active or inactive based on various events or actions, and this would be indicated by a syslog message. The show monitor session span session number command displays the operational status of a SPAN session.
A local SPAN session remains inactive after system power-up until the destination interface is operational.
The following configuration guidelines apply when configuring local SPAN:
Network traffic, including multicast, can be monitored using SPAN. Multicast packet monitoring is enabled by default. In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination interface. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination interface d1. If a packet enters the switch through a1 and gets switched to a2, both incoming and outgoing packets are sent to destination interface d1; both packets would be the same (unless a Layer-3 rewrite had occurred, in which case the packets would be different).
An RSPAN source session is an association of source ports or Vlans across your network with an RSPAN Vlan. The RSPAN Vlan/BD on the router is the destination RSPAN session.
RSPAN supports source ports and source Vlans in the source switch and destination as RSPAN Vlan/BD.
The figure below shows the original traffic from the Host A to Host B via the source ports or Vlans on Host A. The source ports or Vlans of Host A is mirrored to Host B using RSPAN Vlan 10. The traffic for each RSPAN session is carried over a user-specified RSPAN Vlan that is dedicated for that RSPAN session in all participating devices. The traffic from the source ports or Vlans are mirrored into the RSPAN Vlan and forwarded over Trunk or the EVC bridge domain (BD) ports carrying the RSPAN Vlan to a destination session monitoring the RSPAN Vlan.
Each RSPAN source must have either ports or Vlans as RSPAN sources. On RSPAN destination, the RSPAN Vlan is monitored and mirrored to the destination physical port connected to the sniffer device.
RSPAN allows remote monitoring of traffic where the source and destination switches are connected by L2VPN networks
The RSPAN source is either ports or Vlans as in a traditional RSPAN. However, the SPAN source and destination devices are connected through a L2 pseudowire associated with the RSPAN Vlan over an MPLS/IP network. The L2 pseudowire is dedicated for only RSPAN traffic. The mirrored traffic from the source port or Vlan is carried over the pseudowire associated with the RSPAN Vlan towards the destination side. On the destination side, a port belonging to the RSPAN Vlan or EVC BD is connected to sniffer device.
A destination interface, also called a monitor interface, is a switched interface to which SPAN or RSPAN sends packets for analysis. You can have only one destination interface for SPAN sessions.
An interface configured as a destination interface cannot be configured as a source interface. Specifying a trunk interface as a SPAN or RSPAN destination interface stops trunking on the interface.
A source interface is an interface monitored for network traffic analysis. An interface configured as a destination interface cannot be configured as a source interface.
Ingress SPAN (Rx) copies network traffic received by the source interfaces for analysis at the destination interface. Egress SPAN (Tx) copies network traffic transmitted from the source interfaces to the destination interface. Specifying the configuration option (both) copies network traffic received and transmitted by the source interfaces to the destination interface.
The following table lists the supported traffic types for RSPAN.
Source |
Ingress Mirror (Rx) |
Egress Mirror (Tx) |
Both |
---|---|---|---|
Layer2 or Layer3 |
Supported |
Supported |
Supported |
VLAN |
Supported |
Not supported |
Not supported |
EFP |
Not supported |
Not supported |
Not supported |
Pseudowire |
Not supported |
Not supported |
Not supported |
The following table lists the supported rewrite traffic for RSPAN on the EFP, Trunk with the associated RSPAN bridge domains.
Rewrite Operations |
Source |
EFP/Trunk associated with RSPAN BD |
---|---|---|
no-rewrite |
Pop1, Pop2, Push1 |
Only Pop1 |
The following tables lists the format of the spanned packets at the destination port for both Ingress and Egress RSPAN. The tables lists the formats of untagged, single, and double tagged source packets for EFPs under source port configured with rewrite operations (no-rewrite, pop1, pop2 and push1).
|
Ingress Traffic |
Egress Traffic |
---|---|---|
(Untagged Traffic) - Source port rewrite |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
no-rewrite |
RSPAN BD tag + packet |
RSPAN BD tag + packet |
pop1 tag |
NA |
NA |
pop2 tag |
NA |
NA |
push1 tag |
NA |
NA |
(Single Traffic)-Source port rewrite |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
no-rewrite |
RSPAN BD tag + source-outer-tag + packet |
RSPAN BD tag + source-outer-tag + packet |
pop1 tag |
||
pop2 tag |
NA |
|
push1 tag |
RSPAN BD tag + source-outer-tag + packet |
|
(Double traffic) - Source port rewrite |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
no-rewrite |
RSPAN BD tag + source-outer-tag + source-inner-tag + packet |
RSPAN BD tag + Source-inner-tag + packet |
pop1 tag |
||
pop2 tag |
||
push1 tag |
|
Ingress Traffic |
Egress Traffic |
---|---|---|
(Untagged traffic)- Source port rewrite |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
no-rewrite |
RSPAN BD tag + packet |
RSPAN BD tag + packet |
pop1 tag |
NA |
NA |
pop2 tag |
NA |
NA |
push1 tag |
NA |
NA |
(Single traffic)-Source port rewrite |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
no-rewrite |
RSPAN BD tag + source-outertag + packet |
RSPAN BD tag + source-outertag + packet |
pop1 tag |
||
pop2 tag |
NA |
|
push1 tag |
RSPAN BD tag + source-outertag + packet |
|
(Double traffic) -Source port rewrite |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
no-rewrite |
RSPAN BD tag + source-outertag + source-innertag+ packet
|
RSPAN BD tag + source-outertag + source-innertag + packet |
pop1 tag |
||
pop2 tag |
||
push1 tag |
|
Ingress Traffic |
Egress Traffic |
---|---|---|
(Untagged traffic) - Source port rewrite |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
no-rewrite |
RSPAN BD tag + packet |
RSPAN BD tag + packet |
pop1 tag |
NA |
NA |
pop2 tag |
NA |
NA |
push1 tag |
NA |
NA |
(Single traffic)- Source port rewrite |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
no-rewrite |
RSPAN BD tag + source-outer-tag + packet |
RSPAN BD tag + source-outer-tag + packet
|
pop1 tag |
||
pop2 tag |
NA |
NA |
push1 tag |
RSPAN BD tag + source-outer-tag + packet |
RSPAN BD tag + source-outer-tag + packet |
(Double traffic)-Source port rewrite |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
RSPAN Vlan (BD) rewrite pop1 tag symmetric |
no-rewrite |
RSPAN BD tag + source-outer-tag + source-inner-tag + packet
|
RSPAN BD tag + source-outer-tag + source-inner-tag + packet |
pop1 tag |
||
pop2 tag |
||
push1 tag |
To configure sources and destinations for a SPAN session:
1.
configure
terminal
2.
monitor
session
{session_number}
type
local
3.
source
interface
interface_type
slot/subslot/port
[,
|
-
|
rx
|
tx
|
both]
4.
destination
interface
interface_type
slot/subslot/port
[,
|
-]
5.
no
shutdown
To remove sources or destinations from a local SPAN session, use the following commands beginning in EXEC mode:
1.
enable
2.
configure
terminal
3.
no
monitor
session
session-number
Command or Action | Purpose |
---|
To configure the source for a RSPAN session:
1.
enable
2.
configure
terminal
3.
monitor
session
RSPAN_source_session_number
type
rspan-source
4. source {single_interface slot/subslot/port| single_vlan [rx | tx | both]
5.
destination
remote
vlan
rspan_vlan_ID
6.
no shutdown
7.
end
To configure the destination for a RSPAN session for remote Vlan:
1.
enable
2.
configure
terminal
3.
monitor
session
RSPAN_destination_session_number
type
rspan-destination
4.
source
remote
vlan
rspan_vlan_ID
5. destination {single_interface slot/subslot/port}
6.
no shutdown
7.
end
To remove sources or destinations from a RSPAN session:
1.
enable
2.
configure
terminal
3.
monitor
session
session_number
4.
no
{source |
destination} {single_interface
slot/subslot/port |
single_vlan} [
, |
-
both
|
rx |
tx]
5.
no monitor session session number
6.
end
The following sections contain configuration examples for SPAN and RSPAN.
The following example shows how to configure local SPAN session 8 to monitor bidirectional traffic from source interface Gigabit Ethernet interface to destination:
Router(config)# monitor session 8 type local Router(config)# source interface gigabitethernet 0/0/10 Router(config)# destination interface gigabitethernet 0/0/3 Router(config)# no shut
This following example shows how to remove a local SPAN session:
Router(config)# no monitor session 8
The following example shows how RSPAN session 2 to monitor bidirectional traffic from source interface Gigabit Ethernet 0/0/1:
Router(config)# monitor session 2 type RSPAN-source Router(config-mon-RSPAN-src)# source interface gigabitEthernet0/0/1 [tx |rx|both] Router(config-mon-RSPAN-src)# destination remote VLAN 100 Router(config-mon-RSPAN-src)# no shutdown Router(config-mon-RSPAN-src)# end
The following example shows how RSPAN session 3 to monitor bidirectional traffic from source Vlan 20:
Router(config)# monitor session 3 type RSPAN-source Router(config-mon-RSPAN-src)# source VLAN 20 rx Router(config-mon-RSPAN-src)# destination remote VLAN 100 Router(config-mon-RSPAN-src)# no shutdown Router(config-mon-RSPAN-src)# end
The following example shows how to configure interface Gigabit Ethernet 0/0/1 as the destination for RSPAN session 2:
Router(config)# monitor session 2 type RSPAN-destination Router(config-mon-RSPAN-dst)# source remote VLAN 100 Router(config-mon-RSPAN-dst)# destination interface gigabitEthernet 0/0/1 Router(config-mon-RSPAN-dst)# end
Use the show monitor session command to view the sessions configured.
Router# show monitor session 8 Session 8 --------- Type : Local Session Status : Admin Enabled Source Ports : TX Only : Gi0/0/10 Destination Ports : Gi0/0/3 MTU : 1464 Dest RSPAN VLAN : 100
Router# show monitor session 2 Session 2 --------- Type : Remote Source Session Status : Admin Enabled Source Ports : Both : Gi0/0/1 MTU : 1464
Router# show monitor session 3 Session 3 --------- Type : Remote Source Session Status : Admin Enabled Source VLANs : RX Only : 20 MTU : 1464
Router# show monitor session 2 Session 2 --------- Type : Remote Destination Session Status : Admin Enabled Destination Ports : Gi0/0/1 MTU : 1464 Source RSPAN VLAN : 100