cc/td/doc/product/core/cis7600/ios121_8
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Configuring SPAN

Configuring SPAN

This chapter describes how to configure Switched Port Analyzer (SPAN) on the Cisco 7600 series Internet Routers.

This chapter consists of these sections:

Understanding How SPAN Works

These sections describe how SPAN works:

SPAN Overview

SPAN selects network traffic for analysis by a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe. SPAN mirrors traffic from one or more source ports on any VLAN or from one or more VLANs to a destination port for analysis (see Figure 27-1). In Figure 27-1, all traffic on Ethernet port 5 (the source port) is mirrored to Ethernet port 10. A network analyzer on Ethernet port 10 receives all network traffic from Ethernet port 5 without being physically attached to it.


Figure 27-1: Example SPAN Configuration


For SPAN configuration, the source ports and the destination port must be on the same Cisco 7600 series Internet Router.

SPAN does not affect the switching of network traffic on source ports; a copy of the packets received or transmitted by the source ports are sent to the destination port.

SPAN Session

A SPAN session is an association of a destination port with a set of source ports; you configure SPAN sessions using parameters that specify the type of network traffic to monitor. SPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send either ingress traffic, egress traffic, or both to one or more destination ports. You can configure two separate SPAN sessions with separate or overlapping sets of SPAN source ports or VLANs. Both switched and routed ports can be configured as SPAN sources.

SPAN sessions do not interfere with the normal operation of the Internet Router. You can enable or disable SPAN sessions with command-line interface (CLI) or SNMP commands.

Destination Interface

A destination port (also called a monitor interface) is a switched or routed port where SPAN sends packets for analysis. You can have up to 64 SPAN destination ports. Once a port becomes an active destination port, incoming traffic is disabled. You cannot configure a SPAN destination port to receive ingress traffic. The port does not forward any traffic except that required for the SPAN session.

A port specified as a destination port in one SPAN session cannot be a destination port for a second SPAN session. A port configured as a destination port cannot be configured as a source port. EtherChannel interfaces cannot be SPAN destination interfaces.

Specifying a trunk port as a SPAN destination interface stops trunking on the port.

Source Interface

A source port is an port monitored for network traffic analysis. One or more source ports can be monitored in a single SPAN session with user-specified traffic types (ingress, egress, or both) applicable for all the source ports. You can have only one egress port and up to 64 ingress ports.

You can configure source ports in any VLAN. You can configure VLANs as sources, which means that all ports in the specified VLANs are source ports for the SPAN session.

Trunk ports can be configured as source ports and mixed with nontrunk source ports; however, the destination port never encapsulates, so you do not see any encapsulation out of the SPAN destination port.

Traffic Types

Ingress SPAN (Rx) copies network traffic received by the source ports for analysis at the destination port. Egress SPAN (Tx) copies network traffic transmitted from the source ports. Specifying the configuration option "both" copies network traffic received and transmitted by the source ports to the destination port.

VLAN-Based SPAN

VLAN-based SPAN is analysis of the network traffic in one or more VLANs. You can configure VLAN based-SPAN as ingress SPAN, egress SPAN, or both. All the ports in the source VLANs become source ports for the VLAN-based SPAN session.

Use the following guidelines for VLAN-based SPAN sessions:

SPAN Traffic

All network traffic, including multicast and bridge protocol data unit (BPDU) packets, can be monitored using SPAN. Multicast packet monitoring is enabled by default.

In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination port. For example, a bidirectional (both ingress and egress) SPAN session is configured for sources a1 and a2 to a destination port d1. If a packet enters the Internet Router through a1 and gets switched to a2, both incoming and outgoing packets are sent to destination port d1; both packets would be the same (unless a Layer-3 rewrite had occurred, in which case the packets would be different).

SPAN Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring SPAN:

Configuring SPAN

These sections describe how to configure SPAN:

Configuring SPAN Sources

To configure the source for a SPAN session, perform this task:

Command Purpose
Router(config)# monitor session session_number 
{source {interface type slot/port} | {vlan vlan_ID}} 
[, | - | rx | tx | both]

Configures the SPAN session number (1 or 2), the source ports or VLANs, and the traffic direction to be monitored.

Router(config)# no monitor session session_number 
[{source {interface type slot/port} | {vlan vlan_ID}} 
[, | - | rx | tx | both]]

Clears the SPAN source configuration.

This example shows how to configure SPAN session 1 to monitor bidirectional traffic from source Fast Ethernet port 5/1:

Router(config)# monitor session 1 source interface fastethernet 5/1

Configuring SPAN Destinations

To configure the destination for a SPAN session, perform this task:

Command Purpose
Router(config)# monitor session session_number 
{destination {interface type slot/port} [, | - ] | 
{vlan vlan_ID}} 

Configures the SPAN session number (1 or 2) and the destination ports or VLANs.

Router(config)# no monitor session session_number 
[{destination {interface type slot/port} | {vlan 
vlan_ID}}]

Clears the SPAN destination configuration.

This example shows how to configure Fast Ethernet port 5/48 as the destination for SPAN session 1:

Router(config)# monitor session 1 destination interface fastethernet 5/48

Monitoring Source VLANs on a Trunk Interface

To monitor specific VLANs when the SPAN source is a trunk port, perform this task:

Command Purpose
Router(config)# monitor session session_number filter 
{vlan_ID} [, | - ]

Monitors specific VLANs when the SPAN source is a trunk port.

Router(config)# no monitor session session_number 
filter {vlan_ID} [, | - ]

Clears SPAN trunk source configuration.

This example shows how to monitor VLANs 1 through 5 and VLAN 9 when the SPAN source is a trunk port:

Router(config)# monitor session 2 filter vlan 1 - 5 , 9

Verifying the SPAN Configuration

This example shows how to verify the configuration of SPAN session 2:

Router# show monitor session 2

Session 2
---------
Source Ports:
    RX Only:       Fa5/12
    TX Only:       None
    Both:          None
Source VLANs:
    RX Only:       None
    TX Only:       None
    Both:          None
Destination Ports: Fa5/45
Filter VLANs:      1-5,9 
Router#


hometocprevnextglossaryfeedbacksearchhelp
Posted: Thu Aug 29 00:17:07 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.