Configuring SPAN

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for SPAN

SPAN

The restrictions for SPAN are as follows:

  • For SPAN sources, you can monitor traffic for a single port or a series or range of ports for each session.

  • The destination port cannot be a source port; a source port cannot be a destination port.

  • You cannot have two SPAN sessions using the same destination port.

  • When you configure a switch port as a SPAN destination port, it is no longer a normal switch port; only monitored traffic passes through the SPAN destination port.

  • Entering SPAN configuration commands does not remove previously configured SPAN parameters. You must enter the no monitor session {session_number | all } global configuration command to delete configured SPAN parameters.

  • You can configure a disabled port to be a source or destination port, but the SPAN function does not start until the destination port and at least one source port are enabled.

Traffic monitoring in a SPAN session has the following restrictions:

  • The switch supports only one local SPAN session.

  • SPAN sessions do not interfere with the normal operation of the switch. However, an oversubscribed SPAN destination, for example, a 10-Mb/s port monitoring a 100-Mb/s port, can result in dropped or lost packets.

  • When SPAN is enabled, each packet being monitored is sent twice, once as normal traffic and once as a monitored packet. Monitoring a large number of ports could potentially generate large amounts of network traffic.

  • You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active unless you enable the destination port and at least one source port for that session.

Information About SPAN

SPAN

You can analyze network traffic passing through ports by using SPAN to send a copy of the traffic to another port on the switch or on another switch that has been connected to a network analyzer or other monitoring or security device. SPAN copies (or mirrors) traffic received or sent (or both) on source ports to a destination port for analysis. SPAN does not affect the switching of network traffic on the source ports. You must dedicate the destination port for SPAN use. Except for traffic that is required for the SPAN session, destination ports do not receive or forward traffic.

Only traffic that enters or leaves source ports can be monitored by using SPAN.

You can use the SPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.

Default SPAN Configuration

Table 1. Default SPAN Configuration

Feature

Default Setting

SPAN state

Disabled.

Source port traffic to monitor

Both received and sent traffic (both ).

Encapsulation type (destination port)

Native form (untagged packets).

Ingress forwarding (destination port)

Disabled.

Configuration Guidelines

SPAN Configuration Guidelines

  • To remove a source or destination port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command or the no monitor session session_number destination interface interface-id global configuration command. For destination interfaces, the encapsulation options are ignored with the no form of the command.

How to Configure SPAN

Creating a Local SPAN Session

Follow these steps to create a SPAN session and specify the source (monitored) ports or VLANs and the destination (monitoring) ports.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. no monitor session session_number
  4. monitor session session_number source {interface interface-id} [, | - ] [both | rx | tx ]
  5. monitor session session_number destination {interface interface-id [, | - ] }
  6. end
  7. show running-config
  8. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Switch> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.

Step 3

no monitor session session_number

Example:


Switch(config)# no monitor session 1

Removes existing SPAN configuration for the specified session. The range is 1 to 4.

Step 4

monitor session session_number source {interface interface-id} [, | - ] [both | rx | tx ]

Example:


Switch(config)# monitor session 1 source interface gigabitethernet0/1

Specifies the SPAN session and the source port (monitored port).

  • For session_number , the range is 1 to 4.

  • For interface-id , specify the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number ). Valid port-channel numbers are 1 to 6.

  • (Optional) [, | - ] Specifies a series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.

  • (Optional) both | rx | tx —Specifies the direction of traffic to monitor. If you do not specify a traffic direction, the source interface sends both sent and received traffic.

    • both —Monitors both received and sent traffic.

    • rx —Monitors received traffic.

    • tx —Monitors sent traffic.

      Note 

      You can use the monitor session session_number source command multiple times to configure multiple source ports.

Step 5

monitor session session_number destination {interface interface-id [, | - ] }

Example:


Switch(config)# monitor session 1 destination interface gigabitethernet0/2 
Specifies the SPAN session and the destination port (monitoring port). The port LED changes to amber when the configuration changes take effect. The LED returns to its original state(green) only after removing the SPAN destination configuration.
Note 

For local SPAN, you must use the same session number for the source and destination interfaces.

  • For session_number , specify the session number entered in step 4.

  • For interface-id , specify the destination port. The destination interface must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN.

  • (Optional) [, | - ] Specifies a series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.

Note 

You can use monitor session session_number destination command multiple times to configure multiple destination ports.

Step 6

end

Example:


Switch(config)# end

Returns to privileged EXEC mode.

Step 7

show running-config

Example:


Switch# show running-config 

Verifies your entries.

Step 8

copy running-config startup-config

Example:


Switch# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Creating a Local SPAN Session and Configuring Incoming Traffic

Follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance).

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. no monitor session {session_number | all | local | remote }
  4. monitor session session_number source {interface interface-id | vlan vlan-id} [, | - ] [both | rx | tx ]
  5. monitor session session_number destination {interface interface-id [, | - ] [encapsulation replicate [ingress {dot1q vlan vlan-id | untagged vlan vlan-id | vlan vlan-id}]}
  6. end
  7. show running-config
  8. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Switch> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.

Step 3

no monitor session {session_number | all | local | remote }

Example:


Switch(config)# no monitor session all

Removes any existing SPAN configuration for the session.

  • For session_number , the range is 1 to 66.

  • all —Removes all SPAN sessions.

  • local —Removes all local sessions.

  • remote —Removes all remote SPAN sessions.

Step 4

monitor session session_number source {interface interface-id | vlan vlan-id} [, | - ] [both | rx | tx ]

Example:


Switch(config)# monitor session 2 source gigabitethernet1/0/1 rx

Specifies the SPAN session and the source port (monitored port).

Step 5

monitor session session_number destination {interface interface-id [, | - ] [encapsulation replicate [ingress {dot1q vlan vlan-id | untagged vlan vlan-id | vlan vlan-id}]}

Example:


Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 ingress dot1q vlan 6

Specifies the SPAN session, the destination port, the packet encapsulation, and the ingress VLAN and encapsulation.

  • For session_number , specify the session number entered in Step 4.

  • For interface-id , specify the destination port. The destination interface must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN.

  • (Optional) [, | - ] —Specifies a series or range of interfaces. Enter a space before and after the comma or hyphen.

  • ingress enables forwarding of incoming traffic on the destination port and to specify the encapsulation type:

    • dot1q vlan vlan-id— Accepts incoming packets with IEEE 802.1Q encapsulation with the specified VLAN as the default VLAN.

    • untagged vlan vlan-id or vlan vlan-id— Accepts incoming packets with untagged encapsulation type with the specified VLAN as the default VLAN.

Step 6

end

Example:


Switch(config)# end

Returns to privileged EXEC mode.

Step 7

show running-config

Example:


Switch# show running-config 

Verifies your entries.

Step 8

copy running-config startup-config

Example:


Switch# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Monitoring SPAN Operations

The following table describes the command used to display SPAN operations configuration and results to monitor operations:

Table 2. Monitoring SPAN Operations
Command Purpose

show monitor session

Displays the current SPAN configuration.

Enter the all keyword to show configuration for all SPAN sessions, the local keyword to show configurations for local sessions only, and the range keyword to show configurations for a range of SPAN sessions.

SPAN Configuration Examples

Example: Configuring Local SPAN

This example shows how to set up SPAN session 1 for monitoring source port traffic to a destination port. First, any existing SPAN configuration for session 1 is deleted, and then bidirectional traffic is mirrored from source Gigabit Ethernet port 1 to destination Gigabit Ethernet port 2, retaining the encapsulation method.


Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface gigabitethernet0/1
Switch(config)# monitor session 1 destination interface gigabitethernet0/2 encapsulation replicate
Switch(config)# end

This example shows how to remove port 1 as a SPAN source for SPAN session 1:


Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 1 source interface gigabitethernet0/1
Switch(config)# end

This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring:


Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 1 source interface gigabitethernet0/1 rx

The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored.

This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit Ethernet port 2. The configuration is then modified to also monitor all traffic on all ports belonging to VLAN 10.


Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 2
Switch(config)# monitor session 2 destination interface gigabitethernet0/2
Switch(config)# end

This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on Gigabit Ethernet source port 1, and send it to destination Gigabit Ethernet port 2 with the same egress encapsulation type as the source port, and to enable ingress forwarding with VLAN 6 as the default ingress VLAN:


Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source gigabitethernet0/1 rx
Switch(config)# monitor session 2 destination interface gigabitethernet0/2 encapsulation replicate ingress vlan 6
Switch(config)# end

Additional References

Related Documents

Related Topic Document Title
System Commands

Network Management Command Reference, Cisco IOS Release 15.2(2)E

Error Message Decoder

Description Link

To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi

Standards and RFCs

Standard/RFC Title

None

-

MIBs

MIB MIBs Link

All supported MIBs for this release.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature History and Information for SPAN

Release Modification

Cisco IOS Release 15.0(2)EXCisco IOS Release 15.2(5)ECisco IOS 15.2(5)E

Switch Port Analyzer (SPAN): Allows monitoring of switch traffic on a port or VLAN using a sniffer/analyzer or RMON probe.

This feature was introduced.

Cisco IOS Release 15.0(2)EXCisco IOS Release 15.2(5)ECisco IOS 15.2(5)E

SPAN destination port support on EtherChannels: Provides the ability to configure a SPAN destination port on an EtherChannel.

This feature was introduced.

Cisco IOS Release 15.0(2)EXCisco IOS Release 15.2(5)ECisco IOS 15.2(5)E

Switch Port Analyzer (SPAN) - distributed egress SPAN: Provides distributed egress SPAN functionality onto line cards in conjunction with ingress SPAN already been distributed to line cards. By distributing egress SPAN functionalities onto line cards, the performance of the system is improved.

This feature was introduced.