Configuring Switched Port Analyzer

This document describes how to configure local Switched Port Analyzer (SPAN) and remote SPAN (RSPAN) on the router.

Prerequisites for Configuring Local SPAN and RSPAN

Local SPAN

  • Use a network analyzer to monitor interfaces.

RSPAN

  • Before configuring RSPAN sessions, you must first configure:
    1. Source interface

    2. Destination Bridge Domain over VPLS

Restrictions for Local Span and RSPAN

Local Span

  • Local SPAN is only supported on physical ports.

  • VLAN filtering is not supported.

  • SPAN monitoring of port-channel interfaces or port-channel member-links is not supported.

  • Combined Egress local SPAN bandwidth supported is 1 GB.

  • Local SPAN is not supported on logical interfaces such as VLANs or EFPs.

  • Up to 14 active local SPAN sessions (ingress and egress) are supported. The router supports up to 14 ingress sessions and up to 12 egress sessions.

  • Only one local SPAN destination interface is supported. You cannot configure a local SPAN destination interface to receive ingress traffic.

  • Outgoing Cisco Discovery Protocol (CDP) and Bridge Protocol Data Unit (BPDU) packets are not replicated.

  • When enabled, local SPAN uses any previously entered configuration.

  • When you specify source interfaces and do not specify a traffic direction (Tx, Rx, or both), both is used by default.

  • Local SPAN destinations never participate in any spanning tree instance. Local SPAN includes BPDUs in the monitored traffic, so any BPDUs seen on the local SPAN destination are from the local SPAN source.

  • Local SPAN sessions with overlapping sets of local SPAN source interfaces or VLANs are not supported.

RSPAN

  • RSPAN VLAN/BD is not used for data traffic.

  • The maximum number of supported RSPAN sessions are 14.

  • Only one source port is supported per RSPAN.

  • Only port channel RSPAN is supported.

  • Per member link RSPAN is not supported.

  • Source ranges (VLAN range or port range) is not supported.

  • VLAN filtering is not supported.

  • If two RSPAN configurations sessions are configured on two RSPAN BDs associated to the same Trunk EFP, the traffic from the first session flows to the second session after it is configured.

  • RSPAN destination configuration for Layer2 pseudowire is not supported.

  • If RSPAN BD is associated with a VPLS pseudowire, the traffic flows through the VPLS pseudowire.

  • Do not have RSPAN bridge domain as part of RSPAN source interface.

  • RSPAN spans the Rx traffic even when the classifying service instance of the receiving port is in admin down state.

  • If RSPAN source and destinations are separated by pseudowire, then the RSPAN details must be updated on both RSPAN source switch and destination switch. The pseudowire should also be dedicated for RSPAN traffic.


Note

Incomplete configuration of RSPAN / LSPAN will result in traffic drop issues.

Understanding Local SPAN and RSPAN

Information About Local SPAN Session and RSPAN Session

Local SPAN Session

A local Switched Port Analyzer (SPAN) session is an association of a destination interface with a set of source interfaces. You can configure local SPAN sessions to monitor all traffic in a specified direction. Local SPAN sessions allow you to monitor traffic on one or more interfaces and to send either ingress traffic, egress traffic, or both to one destination interface.

Local SPAN sessions do not interfere with the normal operation of the switch. You can enable or disable SPAN sessions with command-line interface (CLI) commands. When enabled, a local SPAN session might become active or inactive based on various events or actions, and this would be indicated by a syslog message. The show monitor session span session number command displays the operational status of a SPAN session.

A local SPAN session remains inactive after system power-up until the destination interface is operational.

The following configuration guidelines apply when configuring local SPAN on the router:

  • When enabled, local SPAN uses any previously entered configuration.

  • Use the no monitor session session number command with no other parameters to clear the local SPAN session number.

Local SPAN Traffic

Network traffic, including multicast, can be monitored using SPAN. Multicast packet monitoring is enabled by default. In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination interface. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination interface d1. If a packet enters the switch through a1 and gets switched to a2, both incoming and outgoing packets are sent to destination interface d1; both packets would be the same (unless a Layer-3 rewrite had occurred, in which case the packets would be different).

RSPAN Session

An RSPAN source session is an association of source ports or VLAN across your network with an RSPAN Vlan. The RSPAN VLAN/BD on the router is the destination RSPAN session.

RSPAN Traffic for RSP2 Module

RSPAN supports source ports and source VLANs in the source switch and destination as RSPAN VLAN/BD.

The figure below shows the original traffic from the Host A to Host B via the source ports or VLANs on Host A. The source ports or VLANs of Host A is mirrored to Host B using RSPAN VLAN 10. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating devices. The traffic from the source ports or VLANs are mirrored into the RSPAN VLAN and forwarded over Trunk or the EVC bridge domain (BD) ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN.

Each RSPAN source must have either ports or VLANs as RSPAN sources. On RSPAN destination, the RSPAN VLAN is monitored and mirrored to the destination physical port connected to the sniffer device.

Figure 1. RSPAN Traffic

RSPAN allows remote monitoring of traffic where the source and destination switches are connected by L2VPN networks

The RSPAN source is either ports or VLANs as in a traditional RSPAN. However, the SPAN source and destination devices are connected through a L2 pseudowire associated with the RSPAN VLAN over an MPLS/IP network. The L2 pseudowire is dedicated for only RSPAN traffic. The mirrored traffic from the source port or VLAN is carried over the pseudowire associated with the RSPAN VLAN towards the destination side. On the destination side, a port belonging to the RSPAN VLAN or EVC BD is connected to sniffer device.

Destination Interface

A destination interface, also called a monitor interface, is a switched interface to which SPAN or RSPAN sends packets for analysis. You can have only one destination interface for SPAN sessions.

An interface configured as a destination interface cannot be configured as a source interface. Specifying a trunk interface as a SPAN or RSPAN destination interface stops trunking on the interface.

Source Interface

A source interface is an interface monitored for network traffic analysis. An interface configured as a destination interface cannot be configured as a source interface.

Traffic Directions

Ingress SPAN (Rx) copies network traffic received by the source interfaces for analysis at the destination interface. Egress SPAN (Tx) copies network traffic transmitted from the source interfaces to the destination interface. Specifying the configuration option (both) copies network traffic received and transmitted by the source interfaces to the destination interface.

The following table lists the supported traffic types for RSPAN.

Table 1. RSPAN over VPLS Traffic for RSP3 module

Source

Ingress Mirror (Rx)

Egress Mirror (Tx)

Both

CFM

Not Supported

Supported

Not Supported

Layer 2

Supported

Supported

Supported

Layer 3

Incoming Ethernet and VLAN header are stripped off and RSPANed over VPLS

Supported

Not Supported

L2VPN

Not Supported

Supported

Not Supported

L3VPN

Not Supported

Supported

Not Supported

L3VPN over BDI

Not Supported

Supported

Not Supported

MPLS

Incoming Ethernet and VLAN header are stripped off and RSPANed over VPLS

Supported

Not Supported

Routed PW

Not Supported

Supported

Not Supported

VPLS

Not supported for bidirectional traffic

Supported

Not Supported

Table 2. RSPAN Traffic

Source

Ingress Mirror (Rx)

Egress Mirror (Tx)

Both

Layer2 or Layer3

Supported

Supported

Supported

VLAN

Supported

Not supported

Not supported

EFP

Not supported

Not supported

Not supported

Pseudowire

Not supported

Not supported

Not supported

The following table lists the supported rewrite traffic for RSPAN on the EFP, Trunk with the associated RSPAN Bridge Domains (BD).

Table 3. Rewrite Traffic for RSPAN BD

Rewrite Operations

Source

EFP/Trunk associated with RSPAN BD

no-rewrite

Pop1, Pop2, Push1

Only Pop1

The following tables lists the format of the spanned packets at the destination port for both Ingress and Egress RSPAN. The tables lists the formats of untagged, single, and double tagged source packets for EFPs under source port configured with rewrite operations (no-rewrite, pop1, pop2 and push1).

Table 4. Destination Port Ingress and Egress Spanned Traffic for EVC RSPAN BD

Ingress Traffic

Egress Traffic

(Untagged Traffic) - Source port rewrite

RSPAN VLAN (BD) rewrite pop1 tag symmetric

RSPAN VLAN (BD) rewrite pop1 tag symmetric

no-rewrite

RSPAN BD tag + packet

RSPAN BD tag + packet

pop1 tag

NA

NA

pop2 tag

NA

NA

push1 tag

NA

NA

(Single Traffic)-Source port rewrite

RSPAN VLAN (BD) rewrite pop1 tag symmetric

RSPAN VLAN (BD) rewrite pop1 tag symmetric

no-rewrite

RSPAN BD tag + source-outer-tag + packet

RSPAN BD tag + source-outer-tag + packet

pop1 tag

pop2 tag

NA

push1 tag

RSPAN BD tag + source-outer-tag + packet

(Double traffic) - Source port rewrite

RSPAN VLAN (BD) rewrite pop1 tag symmetric

RSPAN VLAN (BD) rewrite pop1 tag symmetric

no-rewrite

RSPAN BD tag + source-outer-tag + source-inner-tag + packet

RSPAN BD tag + Source-inner-tag + packet

pop1 tag

pop2 tag

push1 tag

Table 5. Destination Port Ingress and Egress Spanned Traffic for TEFP RSPAN BD

Ingress Traffic

Egress Traffic

(Untagged traffic)- Source port rewrite

RSPAN VLAN (BD) rewrite pop1 tag symmetric

RSPAN VLAN (BD) rewrite pop1 tag symmetric

no-rewrite

RSPAN BD tag + packet

RSPAN BD tag + packet

pop1 tag

NA

NA

pop2 tag

NA

NA

push1 tag

NA

NA

(Single traffic)-Source port rewrite

RSPAN VLAN (BD) rewrite pop1 tag symmetric

RSPAN VLAN (BD) rewrite pop1 tag symmetric

no-rewrite

RSPAN BD tag + source-outertag + packet

RSPAN BD tag + source-outertag + packet

pop1 tag

pop2 tag

NA

push1 tag

RSPAN BD tag + source-outertag + packet

(Double traffic) -Source port rewrite

RSPAN VLAN (BD) rewrite pop1 tag symmetric

RSPAN VLAN (BD) rewrite pop1 tag symmetric

no-rewrite

RSPAN BD tag + source-outertag + source-innertag+ packet

RSPAN BD tag + source-outertag + source-innertag + packet

pop1 tag

pop2 tag

push1 tag

Table 6. Destination Port Ingress and Egress Spanned Traffic for RSPAN BD with VPLS Pseudowire (RSP2 module)

Ingress Traffic

Egress Traffic

(Untagged traffic) - Source port rewrite

RSPAN VLAN (BD) rewrite pop1 tag symmetric

RSPAN VLAN (BD) rewrite pop1 tag symmetric

no-rewrite

RSPAN BD tag + packet

RSPAN BD tag + packet

pop1 tag

NA

NA

pop2 tag

NA

NA

push1 tag

NA

NA

(Single traffic)- Source port rewrite

RSPAN VLAN (BD) rewrite pop1 tag symmetric

RSPAN VLAN (BD) rewrite pop1 tag symmetric

no-rewrite

RSPAN BD tag + source-outer-tag + packet

RSPAN BD tag + source-outer-tag + packet

pop1 tag

pop2 tag

NA

NA

push1 tag

RSPAN BD tag + source-outer-tag + packet

RSPAN BD tag + source-outer-tag + packet

(Double traffic)-Source port rewrite

RSPAN VLAN (BD) rewrite pop1 tag symmetric

RSPAN VLAN (BD) rewrite pop1 tag symmetric

no-rewrite

RSPAN BD tag + source-outer-tag + source-inner-tag + packet

RSPAN BD tag + source-outer-tag + source-inner-tag + packet

pop1 tag

pop2 tag

push1 tag

Configuring Local SPAN and RSPAN

Configuring Sources and Destinations for Local SPAN

To configure sources and destinations for a SPAN session:

SUMMARY STEPS

  1. configure terminal
  2. monitor session { session_number } type local
  3. source interface interface_type slot/subslot/port [, | - | rx | tx | both]
  4. destination interface interface_type slot/subslot/port [, | -]
  5. no shutdown
  6. End

DETAILED STEPS


Step 1

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 2

monitor session { session_number } type local

Example:


Router(config)# monitor session 1 type local 

Specifies the local SPAN session number and enters the local monitoring configuration mode.

  • session_number —Indicates the monitor session. The valid range is 1 through 14.
Step 3

source interface interface_type slot/subslot/port [, | - | rx | tx | both]

Example:


Router(config-mon-local)# source interface gigabitethernet 0/2/1 rx

Specifies the source interface and the traffic direction:

  • interface_type —Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface.
    • slot/subslot/port —The location of the interface.
  • “,”—List of interfaces
  • “–”—Range of interfaces
  • rx—Ingress local SPAN
  • tx—Egress local SPAN
  • both
Step 4

destination interface interface_type slot/subslot/port [, | -]

Example:


Router(config-mon-local)# destination interface gigabitethernet 0/2/4 

Specifies the destination interface that sends both ingress and egress local spanned traffic from source port to the prober or sniffer.

  • interface_type —Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface.
    • slot/subslot/port —The location of the interface.
  • “,”—List of interfaces

  • “–”—Range of interfaces
Step 5

no shutdown

Example:


Router(config-mon-local)# no shutdown

Enables the local SPAN session.

Step 6

End


Removing Sources or Destinations from a Local SPAN Session

To remove sources or destinations from a local SPAN session, use the following commands beginning in EXEC mode:

Procedure


Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

no monitor session session-number

Example:

Router(config)# no monitor session 2

Clears existing SPAN configuration for a session.


Configuring RSPAN Source Session

To configure the source for a RSPAN session:

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. monitor session RSPAN_source_session_number type rspan-source
  4. Filter vlan vlan id
  5. source {single_interface slot/subslot/port| single_vlan [rx | tx | both ]
  6. destination remote vlan rspan_vlan_ID
  7. no shutdown
  8. end

DETAILED STEPS


Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

monitor session RSPAN_source_session_number type rspan-source

Example:


Router(config)# monitor session  1
 type rspan-source 

Configures an RSPAN source session number and enters RSPAN source session configuration mode for the session.

  • RSPAN_source_session_number—

    Valid sessions are 1 to 14.
  • rspan-source —Enters the RSPAN source-session configuration mode.
Step 4

Filter vlan vlan id

Example:

filter vlan 100

Applies the VLAN access map to the VLAN ID; valid values are from 1 to 4094.

Step 5

source {single_interface slot/subslot/port| single_vlan [rx | tx | both ]

Example:


Router(config-mon-rspan-src)# source interface gigabitethernet 0/2/1 tx

Specifies the RSPAN session number, the source interfaces and the traffic direction to be monitored.

  • single_interface Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface.
    • slot/subslot/port —The location of the interface.
  • single_vlan

    —Specifies the single VLAN.
  • both

    —(Optional) Monitors the received and the transmitted traffic.
  • rx

    —(Optional) Monitors the received traffic only.
  • tx —(Optional) Monitors the transmitted traffic only.
Step 6

destination remote vlan rspan_vlan_ID

Example:


Router(config-mon-rspan-src)# destination remote vlan2

Associates the RSPAN source session number session number with the RSPAN VLAN.

  • rspan_vlan_ID —Specifies the Vlan ID.
    Note 

    rspan_vlan_ID is the RSPAN BD that is configured under the EFP or port which carries the RSPANd traffic.

Step 7

no shutdown

Example:


Router(config-mon-rspan-src)# no shutdown

Enables RSPAN source.

Step 8

end

Example:


Router(config-mon-rspan-src)# end

Exists the configuration.


Configuring RSPAN Destination Session

To configure the destination for a RSPAN session for remote Vlan:

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. monitor session RSPAN_destination_session_number type rspan-destination
  4. source remote vlan rspan_vlan_ID
  5. destination {single_interface slot/subslot/port}
  6. no shutdown
  7. end

DETAILED STEPS


Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

monitor session RSPAN_destination_session_number type rspan-destination

Example:


Router(config)# monitor session 1 type rspan-destination

Configures a RPAN session.

  • RSPAN_destination_session_number— Valid sessions are 1 to 80.
  • rspan-destination —Enters the RSPAN destination-session configuration mode.
Step 4

source remote vlan rspan_vlan_ID

Example:


Router(config-mon-rspan-dst)# source remote vlan2

Associates the RSPAN destination session number RSPAN VLAN.

  • rspan_vlan_ID —Specifies the Vlan ID
Step 5

destination {single_interface slot/subslot/port}

Example:


Router(config-mon-rspan-dst)# destination interface gigabitethernet 0/0/1

Associates the RSPAN destination session number with the destination port.

  • single_interface —Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface.
    • slot/subslot/port—The location of the interface.
Step 6

no shutdown

Example:


Router(config-mon-rspan-dst)# no shutdown

Restarts the interface

Step 7

end

Example:


Router(config-mon-rspan-dst)# end

Exists the configuration


Removing Sources or Destinations from a RSPAN Session

To remove source or destination from a RSPAN session, delete and recreate the RSPAN session. The following are the steps:

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. no monitor session session number
  4. end

DETAILED STEPS


Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

no monitor session session number

Example:


Router(config)# no monitor session 1

Exits monitor session.

Step 4

end

Example:


Router(config-mon-rspan-src)# end

Exits configuration mode.


Sample Configurations

The following sections contain configuration example for SPAN and RSPAN on the router.

Configuration Example: Local SPAN

The following example shows how to configure local SPAN session 8 to monitor bidirectional traffic from source interface Gigabit Ethernet interface to destination:


Router(config)# monitor session 8 type local
Router(config)# source interface gigabitethernet 0/0/10
Router(config)# destination interface gigabitethernet 0/0/3
Router(config)# no shut

Configuration Example: Removing Sources or Destinations from a Local SPAN Session

This following example shows how to remove a local SPAN session:


Router(config)# no monitor session 8

Configuration Example: RSPAN Source

The following example shows how RSPAN session 2 to monitor bidirectional traffic from source interface Gigabit Ethernet 0/0/1:


Router(config)# monitor session 2 type RSPAN-source
Router(config-mon-RSPAN-src)# source interface gigabitEthernet0/0/1 [tx |rx|both]
Router(config-mon-RSPAN-src)# destination remote VLAN 100
Router(config-mon-RSPAN-src)# no shutdown
Router(config-mon-RSPAN-src)# end

The following example shows how RSPAN session 3 to monitor bidirectional traffic from source Vlan 200:


Router(config)# monitor session 3 type RSPAN-source
Router(config-mon-RSPAN-src)# filter vlan 100
Router(config-mon-RSPAN-src)# source interface Te0/0/23 rx
Router(config-mon-RSPAN-src)# destination remote VLAN 200
Router(config-mon-RSPAN-src)# no shutdown
Router(config-mon-RSPAN-src)# end

Configuration Example: RSPAN Destination

The following example shows how to configure interface Gigabit Ethernet 0/0/1 as the destination for RSPAN session 2:


Router(config)# monitor session 2 type RSPAN-destination
Router(config-mon-RSPAN-dst)# source remote VLAN 100
Router(config-mon-RSPAN-dst)# destination interface gigabitEthernet 0/0/1
Router(config-mon-RSPAN-dst)# end

Verifying Local SPAN and RSPAN

Use the show monitor session command to view the sessions configured.

  • The following example shows the Local SPAN source session with Tx as source:

Router# show monitor session 8
Session 8
---------
Type : Local Session
Status : Admin Enabled
Source Ports :
TX Only : Gi0/0/10
Destination Ports : Gi0/0/3
MTU : 1464
Dest RSPAN VLAN : 100
  • The following example shows the RSPAN source session with Gigabit Ethernet interface 0/0/1 as source:

Router# show monitor session 2
Session 2
---------
Type                   : Remote Source Session
Status                 : Admin Enabled
Source Ports           : 
    Both               : Gi0/0/1
MTU                    : 1464
  • The following example shows the RSPAN source session with Vlan 20 as source:

Router# show monitor session 3
Session 3
---------
Type                   : Remote Source Session
Status                 : Admin Enabled
Source VLANs           :
    RX Only            : 20
MTU                    : 1464
  • The following example shows the RSPAN destination session with Gigabit Ethernet interface 0/0/1 as destination:

Router# show monitor session 2
Session 2
---------
Type                   : Remote Destination Session
Status                 : Admin Enabled
Destination Ports      : Gi0/0/1
MTU                    : 1464
Source RSPAN VLAN : 100

Additional References

Related Documents

Related Topic Document Title

Cisco IOS commands

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mcl/allreleasemcl/all-book.html

Standards and RFCs

Standard/RFC Title

No specific Standards and RFCs are supported by the features in this document.

MIBs

MIB MIBs Link

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html