Configuring Switched Port Analyzer

This document describes how to configure local Switched Port Analyzer (SPAN) and remote SPAN (RSPAN) on the router.

Prerequisites for Configuring Local SPAN and RSPAN

Local SPAN

  • Use a network analyzer to monitor interfaces.

RSPAN

  • Before configuring RSPAN sessions, you must first configure:

    1. Source interface

    2. Destination Bridge Domain over VPLS

Restrictions for Local Span and RSPAN

Local Span

  • Local SPAN is only supported on physical ports.

  • VLAN filtering is not supported.

  • SPAN monitoring of port-channel interfaces or port-channel member-links is not supported.

  • Combined Egress local SPAN bandwidth supported is 1 GB.

  • Local SPAN is not supported on logical interfaces such as VLANs or EFPs.

  • Only one local SPAN destination interface is supported. You cannot configure a local SPAN destination interface to receive ingress traffic.

  • Outgoing Cisco Discovery Protocol (CDP) and Bridge Protocol Data Unit (BPDU) packets are not replicated.

  • When enabled, local SPAN uses any previously entered configuration.

  • When you specify source interfaces and do not specify a traffic direction (Tx, Rx, or both), both is used by default.

  • Local SPAN destinations never participate in any spanning tree instance. Local SPAN includes BPDUs in the monitored traffic, so any BPDUs seen on the local SPAN destination are from the local SPAN source.

  • Local SPAN sessions with overlapping sets of local SPAN source interfaces or VLANs are not supported.

  • EFP/TEFP shut will not stop traffic flow.

  • Only one Interface can be configured as monitor destination for Local SPAN.

  • Only Rx (BPDU) control packets will be replicated in local SPAN.

  • More than one interface as source will work in local SPAN.

  • Monitor source interface can be part of one Local SPAN session only. If source interface is configured as SPAN destination in another session, the following error is prompted. Interfaces Gi 0/0/1 is already configured as monitor sources in session 1, hence rejecting the entire bundle of requests under this submode.

  • Destination interface can be part of one Local Span session only. If same destination is programmed for two sessions, the following error will be prompted. Interfaces Gi0/0/0 already configured as monitor destinations in other monitor sessions.

  • Once maximum scale is reached. You need to remove SPAN sessions and then reconfigure new session.

  • Incoming packets will be mirrored based on packets on wire for LSPAN/RSPAN.

  • Egress packets will be mirrored based on packets after applying rewrite / QoS on packets.

  • Any change to EFP or interface configs, requires reconfigure LSPAN/RSPAN.

  • Dynamic modification of SPAN/RSPAN is not supported.

RSPAN

  • Only Rx is supported for RSPAN with Filter vlan, BD.

  • If configuration change is done to EFP which is part of SPAN session, it will not stop traffic flow.

  • Port channel RSPAN is not supported.

  • Per member link RSPAN is not supported.

  • VLAN filtering is supported.

  • If two RSPAN configurations sessions are configured on two RSPAN BDs associated to the same Trunk EFP, the traffic from the first session flows to the second session after it is configured.

  • RSPAN spans the Rx traffic even when the classifying service instance of the receiving port is in admin down state.

  • EFP/TEFP shut will not stop traffic flow. RSPAN traffic does not Egress out of both the EFP attached to BD in same interface.

  • Multiple source ports are not supported for RSPAN. Port-range not supported for RSPAN

  • Filtering option will be supported only in interface mode.

  • Filtering will be supported only on single and double encapsulation.

  • Once maximum scale is reached. You need to remove RSPAN sessions and then reconfigure new session.

  • RSPAN will mirror all BD traffic configured on TEFP.

  • Filter option will not work for default and untagged.

  • Incoming packets will be mirrored based on packets on wire for LSPAN/RSPAN.

  • Egress packets will be mirrored based on packets after applying rewrite / QoS on packets.

  • Any change to EFP or interface configs, requires reconfigure LSPAN/RSPAN.

  • Dynamic modification of SPAN/RSPAN is not yet supported.


Note
Incomplete configuration of RSPAN / LSPAN will result in traffic drop issues.

Scale Support for Port Mirroring

In total 8 logical ports (4 for Ingress and 4 for Egress) are assigned in Broadcom for Mirroring (including Local and Remote SPAN).

For Local SPAN, one logical port is assigned for Ingress mirroring and one logical port is assigned for Egress mirroring. In case both are selected then 2 logical ports are assigned.

For Remote SPAN, 2 logical ports are assigned for Ingress mirroring and 2 logical port is assigned for Egress mirroring.

Maximum scale depends on consumption of these logical ports.

Understanding Local SPAN and RSPAN

Information About Local SPAN Session and RSPAN Session

Local SPAN Session

A local Switched Port Analyzer (SPAN) session is an association of a destination interface with a set of source interfaces. You can configure local SPAN sessions to monitor all traffic in a specified direction. Local SPAN sessions allow you to monitor traffic on one or more interfaces and to send either ingress traffic, egress traffic, or both to one destination interface.

Local SPAN sessions do not interfere with the normal operation of the switch. You can enable or disable SPAN sessions with command-line interface (CLI) commands. When enabled, a local SPAN session might become active or inactive based on various events or actions, and this would be indicated by a syslog message. The show monitor session span session number command displays the operational status of a SPAN session.

A local SPAN session remains inactive after system power-up until the destination interface is operational.

The following configuration guidelines apply when configuring local SPAN on the router:

  • When enabled, local SPAN uses any previously entered configuration.

  • Use the no monitor session session number command with no other parameters to clear the local SPAN session number.

Local SPAN Traffic

Network traffic, including multicast, can be monitored using SPAN. Multicast packet monitoring is enabled by default. In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination interface. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination interface d1. If a packet enters the switch through a1 and gets switched to a2, both incoming and outgoing packets are sent to destination interface d1; both packets would be the same (unless a Layer-3 rewrite had occurred, in which case the packets would be different).

RSPAN Session

An RSPAN source session is an association of source ports or VLAN across your network with an RSPAN Vlan. The RSPAN VLAN/BD on the router is the destination RSPAN session.

RSPAN Traffic for RSP2 Module

RSPAN supports source ports and source VLANs in the source switch and destination as RSPAN VLAN/BD.

The figure below shows the original traffic from the Host A to Host B via the source ports or VLANs on Host A. The source ports or VLANs of Host A is mirrored to Host B using RSPAN VLAN 10. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating devices. The traffic from the source ports or VLANs are mirrored into the RSPAN VLAN and forwarded over Trunk or the EVC bridge domain (BD) ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN.

Each RSPAN source must have either ports or VLANs as RSPAN sources. On RSPAN destination, the RSPAN VLAN is monitored and mirrored to the destination physical port connected to the sniffer device.

Figure 1. RSPAN Traffic

RSPAN allows remote monitoring of traffic where the source and destination switches are connected by L2VPN networks

The RSPAN source is either ports or VLANs as in a traditional RSPAN. However, the SPAN source and destination devices are connected through a L2 pseudowire associated with the RSPAN VLAN over an MPLS/IP network. The L2 pseudowire is dedicated for only RSPAN traffic. The mirrored traffic from the source port or VLAN is carried over the pseudowire associated with the RSPAN VLAN towards the destination side. On the destination side, a port belonging to the RSPAN VLAN or EVC BD is connected to sniffer device.

Destination Interface

A destination interface, also called a monitor interface, is a switched interface to which SPAN or RSPAN sends packets for analysis. You can have only one destination interface for SPAN sessions.

An interface configured as a destination interface cannot be configured as a source interface. Specifying a trunk interface as a SPAN or RSPAN destination interface stops trunking on the interface.

Source Interface

A source interface is an interface monitored for network traffic analysis. An interface configured as a destination interface cannot be configured as a source interface.

Configuring Local SPAN and RSPAN

Configuring Sources and Destinations for Local SPAN

To configure sources and destinations for a SPAN session:

Procedure

Step 1

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 2

monitor session { session_number } type local

Example:


Router(config)# monitor session 1 type local

Specifies the local SPAN session number and enters the local monitoring configuration mode.

  • session_number —Indicates the monitor session. The valid range is 1 through 14.

Step 3

source interface interface_type slot/subslot/port [, | - | rx | tx | both]

Example:


Router(config-mon-local)# source interface gigabitethernet 0/2/1 rx

Specifies the source interface and the traffic direction:

  • interface_type —Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface.
    • slot/subslot/port —The location of the interface.
  • “,”—List of interfaces
  • “–”—Range of interfaces
  • rx—Ingress local SPAN
  • tx—Egress local SPAN
  • both

Step 4

destination interface interface_type slot/subslot/port [, | -]

Example:


Router(config-mon-local)# destination interface gigabitethernet 0/2/4

Specifies the destination interface that sends both ingress and egress local spanned traffic from source port to the prober or sniffer.

  • interface_type —Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface.
    • slot/subslot/port —The location of the interface.

  • “,”—List of interfaces

  • “–”—Range of interfaces

Step 5

no shutdown

Example:


Router(config-mon-local)# no shutdown

Enables the local SPAN session.

Step 6

End

Removing Sources or Destinations from a Local SPAN Session

To remove sources or destinations from a local SPAN session, use the following commands beginning in EXEC mode:

Procedure

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

no monitor session session-number

Example:

Router(config)# no monitor session 2

Clears existing SPAN configuration for a session.

Configuring RSPAN Source Session

To configure the source for a RSPAN session:

Procedure

Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

monitor session RSPAN_source_session_number type rspan-source

Example:


Router(config)# monitor session  1
 type rspan-source

Configures an RSPAN source session number and enters RSPAN source session configuration mode for the session.

  • RSPAN_source_session_number—

    Valid sessions are 1 to 14.
  • rspan-source —Enters the RSPAN source-session configuration mode.

Step 4

Filter vlan vlan id

Example:

filter vlan 100

Applies the VLAN access map to the VLAN ID; valid values are from 1 to 4094.

Step 5

source {single_interface slot/subslot/port| single_vlan [rx | tx | both ]

Example:


Router(config-mon-rspan-src)# source interface gigabitethernet 0/2/1 tx

Specifies the RSPAN session number, the source interfaces and the traffic direction to be monitored.

  • single_interface Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface.
    • slot/subslot/port —The location of the interface.

  • single_vlan

    —Specifies the single VLAN.

  • both

    —(Optional) Monitors the received and the transmitted traffic.

  • rx

    —(Optional) Monitors the received traffic only.
  • tx —(Optional) Monitors the transmitted traffic only.

Step 6

no shutdown

Example:


Router(config-mon-rspan-src)# no shutdown

Enables RSPAN source.

Step 7

end

Example:


Router(config-mon-rspan-src)# end

Exists the configuration.

Configuring RSPAN Destination Session

To configure the destination for a RSPAN session for remote Vlan:

Procedure

Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

monitor session RSPAN_destination_session_number type rspan-destination

Example:


Router(config)# monitor session 1 type rspan-destination

Configures a RPAN session.

  • RSPAN_destination_session_number— Valid sessions are 1 to 80.
  • rspan-destination —Enters the RSPAN destination-session configuration mode.

Step 4

source remote vlan rspan_vlan_ID

Example:


Router(config-mon-rspan-dst)# source remote vlan2

Associates the RSPAN destination session number RSPAN VLAN.

  • rspan_vlan_ID —Specifies the Vlan ID

Step 5

destination {single_interface slot/subslot/port}

Example:


Router(config-mon-rspan-dst)# destination interface gigabitethernet 0/0/1

Associates the RSPAN destination session number with the destination port.

  • single_interface —Specifies the Gigabit Ethernet or Ten Gigabit Ethernet interface.
    • slot/subslot/port—The location of the interface.

Step 6

no shutdown

Example:


Router(config-mon-rspan-dst)# no shutdown

Restarts the interface

Step 7

end

Example:


Router(config-mon-rspan-dst)# end

Exists the configuration

Removing Sources or Destinations from a RSPAN Session

To remove source or destination from a RSPAN session, delete and recreate the RSPAN session. The following are the steps:

Procedure

Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

no monitor session session number

Example:


Router(config)# no monitor session 1

Exits monitor session.

Step 4

end

Example:


Router(config-mon-rspan-src)# end

Exits configuration mode.

Sample Configurations

The following sections contain configuration example for SPAN and RSPAN on the router.

Configuration Example: Local SPAN

The following example shows how to configure local SPAN session 8 to monitor bidirectional traffic from source interface Gigabit Ethernet interface to destination: 


Router(config)# monitor session 8 type local
Router(config)# source interface gigabitethernet 0/0/10
Router(config)# destination interface gigabitethernet 0/0/3
Router(config)# no shut

Configuration Example: Removing Sources or Destinations from a Local SPAN Session

This following example shows how to remove a local SPAN session: 


Router(config)# no monitor session 8

Configuration Example: RSPAN Source

The following example shows how RSPAN session 2 to monitor bidirectional traffic from source interface Gigabit Ethernet 0/0/1: 


Router(config)# monitor session 2 type RSPAN-source
Router(config-mon-RSPAN-src)# source interface gigabitEthernet0/0/1 [tx |rx|both]
Router(config-mon-RSPAN-src)# destination remote VLAN 100
Router(config-mon-RSPAN-src)# no shutdown
Router(config-mon-RSPAN-src)# end

The following example shows how RSPAN session 3 to monitor bidirectional traffic from source Vlan 200:


Router(config)# monitor session 3 type RSPAN-source
Router(config-mon-RSPAN-src)# filter vlan 100
Router(config-mon-RSPAN-src)# source interface Te0/0/23 rx
Router(config-mon-RSPAN-src)# destination remote VLAN 200
Router(config-mon-RSPAN-src)# no shutdown
Router(config-mon-RSPAN-src)# end

Configuration Example: RSPAN Destination

The following example shows how to configure interface Gigabit Ethernet 0/0/1 as the destination for RSPAN session 2: 


Router(config)# monitor session 2 type RSPAN-destination
Router(config-mon-RSPAN-dst)# source remote VLAN 100
Router(config-mon-RSPAN-dst)# destination interface gigabitEthernet 0/0/1
Router(config-mon-RSPAN-dst)# end

Verifying Local SPAN and RSPAN

Use the show monitor session command to view the sessions configured.

  • The following example shows the Local SPAN source session with Tx as source: 

Router# show monitor session 8
Session 8
---------
Type : Local Session
Status : Admin Enabled
Source Ports :
TX Only : Gi0/0/10
Destination Ports : Gi0/0/3
MTU : 1464
Dest RSPAN VLAN : 100
  • The following example shows the RSPAN source session with Gigabit Ethernet interface 0/0/1 as source: 

Router# show monitor session 2
Session 2
---------
Type                   : Remote Source Session
Status                 : Admin Enabled
Source Ports           : 
    Both               : Gi0/0/1
MTU                    : 1464
  • The following example shows the RSPAN source session with Vlan 20 as source: 

Router# show monitor session 3
Session 3
---------
Type                   : Remote Source Session
Status                 : Admin Enabled
Source VLANs           :
    RX Only            : 20
MTU                    : 1464
  • The following example shows the RSPAN destination session with Gigabit Ethernet interface 0/0/1 as destination: 

Router# show monitor session 2
Session 2
---------
Type                   : Remote Destination Session
Status                 : Admin Enabled
Destination Ports      : Gi0/0/1
MTU                    : 1464
Source RSPAN VLAN : 100

Additional References

Related Documents

Related Topic Document Title

Cisco IOS commands

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mcl/allreleasemcl/all-book.html

Standards and RFCs

Standard/RFC Title

No specific Standards and RFCs are supported by the features in this document.

MIBs

MIB MIBs Link

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html