Configuring Switched Port Analyzer (SPAN)
The Switched Port Analyzer (SPAN) feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer. The following sections describe how to configure SPAN on Cisco ASR 903 Series Router:
SPAN Limitations and Configuration Guidelines
The following limitations and configuration guidelines apply when configuring SPAN on Cisco ASR 903 Series Router:
- SPAN is only supported on physical ports; SPAN is not supported on logical interfaces such as VLANs or EFPs.
- SPAN is not supported on port channels.
- Up to 15 active SPAN sessions (ingress and egress) are supported. The switch supports up to 15 ingress sessions and up to 12 egress sessions.
- You can have one SPAN destination interface.
- You cannot configure a SPAN destination interface to receive ingress traffic.
- Use a network analyzer to monitor interfaces.
- Outgoing CDP and BPDU packets are not replicated.
- When enabled, SPAN uses any previously entered configuration.
- When you specify source interfaces and do not specify a traffic type (Tx, Rx, or both), both is used by default.
- Enter the no monitor session session number command with no other parameters to clear the SPAN session number.
- SPAN destinations never participate in any spanning tree instance. SPAN includes BPDUs in the monitored traffic, so any BPDUs seen on the SPAN destination are from the SPAN source.
- SPAN sessions with overlapping sets of SPAN source interfaces are not supported.
Understanding Switched Port Analyzer
The following sections describe SPAN:
Switched Port Analyzer (SPAN) Session
A Switched Port Analyzer (SPAN) session is an association of a destination interface with a set of source interfaces. You configure SPAN sessions using parameters that specify the type of network traffic to monitor. SPAN sessions allow you to monitor traffic on one or more interfaces and to send either ingress traffic, egress traffic, or both to one destination interface. You can configure a SPAN session with separate sets of SPAN source interfaces; overlapping sets are not supported.
SPAN sessions do not interfere with the normal operation of the switch. You can enable or disable SPAN sessions with command-line interface (CLI) or SNMP commands. When enabled, a SPAN session might become active or inactive based on various events or actions, which are indicated by syslog messages. The show monitor session command displays the operational status of a SPAN session.
A SPAN session remains inactive after system power-up until the destination interface is operational.
Destination Interface
A destination interface, also called a monitor interface, is a switched interface to which SPAN sends packets for analysis. You can have one SPAN destination interface.
An interface configured as a destination interface cannot be configured as a source interface.
Specifying a trunk interface as a SPAN destination interface stops trunking on the interface.
Source Interface
A source interface is an interface monitored for network traffic analysis. An interface configured as a source interface cannot be configured as a destination interface.
Traffic Types
Ingress SPAN (Rx) copies network traffic received by the source interfaces for analysis at the destination interface. Egress SPAN (Tx) copies network traffic transmitted from the source interfaces. Specifying the configuration option, both, copies network traffic received and transmitted by the source interfaces to the destination interface.
SPAN Traffic
Network traffic, including multicast, can be monitored using SPAN. Multicast packet monitoring is enabled by default. In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination interface. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination interface d1. If a packet enters the switch through a1 and gets switched to a2, both incoming and outgoing packets are sent to destination interface d1; both packets would be the same (unless a Layer-3 rewrite had occurred, in which case the packets would be different).
Note
For ME3600/ME3800 switches, a maximum of 1 Gbps SPAN traffic is supported.
Configuring Switched Port Analyzer
The following sections describe how to configure SPAN:
Configuring Sources and Destinations for SPAN
To configure sources and destinations for a SPAN session, perform this task in privileged EXEC mode:
SUMMARY STEPS
1.
configure terminal
2.
monitor session {session_number} type local
3.
source {interface slot/port}} [, | - | rx | tx | both]
4.
destination {interface slot/port}} [, | - | rx | tx | both]
5.
no shutdown
DETAILED STEPS
|
|
|
Step 1 |
configure terminal
Switch# configure terminal |
Enters global configuration mode. |
Step 2 |
monitor session { session_number } type local
Switch(config)# monitor session 1 type local |
Specifies the SPAN session number and enters the local monitoring configuration mode. Note ME3600/3800 supports SPAN of type local only. The session number range is 1 through 15. |
Step 3 |
source interface interface_type slot/port [, | - | rx | tx | both]
Switch(config-mon-local)# source interface gigabitethernet 2/1 rx |
Specifies the source interface and the traffic type:
- “,”—List of interfaces
- “–”—Range of interfaces
- rx—Ingress SPAN
- tx—Egress SPAN
- both
|
Step 4 |
destination interface interface_type slot/port [, | - | rx | tx | both]
Switch(config-mon-local)# destination interface gigabitethernet 2/4 |
Specifies the destination interface that sends both ingress and egress spanned traffic from source port to the prober or sniffer. |
Step 5 |
no shutdown
Switch(config-mon-local)# no shutdown |
Enables the SPAN session. |
Note
You can configure multiple SPAN sessions, but only one SPAN session is supported at a time.
Removing Sources and Destinations from a SPAN Session
To remove sources or destinations from a SPAN session, use the following commands beginning in privileged EXEC mode:
SUMMARY STEPS
1.
configure terminal
2.
no monitor session session_number
DETAILED STEPS
|
|
|
Step 1 |
configure terminal
Switch# configure terminal |
Enters global configuration mode. |
Step 2 |
no monitor session session_number
Switch(config)# no monitor session 1 |
Clears existing SPAN configuration for a session. |
Sample Configurations
The following sections contain configuration examples for SPAN on the Cisco ASR 903 Series Router.
Configuring Sources and Destinations Example
The following example shows how to configure SPAN session 1 to monitor bidirectional traffic from source interface Gigabit Ethernet 2/1 and destination interface Gigabit Ethernet 2/4:
Switch# configure terminal
Switch(config)# monitor session 1 type local
Switch(config-mon-local)# source interface gigabitethernet 2/1
Switch(config-mon-local)# destination interface gigabitethernet 2/4
Switch(config-mon-local)# no shutdown
Removing Sources and Destinations from a SPAN Session Example
The following example shows how to remove a SPAN session:
Switch# configure terminal
Switch(config)# no monitor session 1
Displaying SPAN Session Information
To display information about the SPAN sessions you configured, use the show monitor session command:
show monitor session [ range session-range | local | remote | all | session ]
This example shows how to display information for a specific session:
Switch# show monitor session 1
This example shows how to display the detailed information for a specific session:
Switch# show monitor session 1 detail
Destination IP Address: None
Destination ERSPAN ID: None