Switched Port Analyzer (SPAN) allows traffic to be replicated to a port from a specified source. The traffic to be replicated can be from physical ports, virtual ports, or VLANs, but you cannot mix source types within a single SPAN session. The most common reason for SPAN to be employed is for packet capture. If you need to capture the traffic on VLAN 10, for example, you can’t just plug a sniffer on a port in that VLAN, as the switch will only forward packets destined for the sniffer. However, enabling SPAN with the VLAN as the source, and the sniffer’s port as the destination, will cause all traffic on the VLAN to be sent to the sniffer. SPAN is also commonly deployed when Intrusion Detection Systems (IDSs) are added to a network. IDS devices need to read all packets in one or more VLANs, and SPAN can get the packets to the IDS devices.
Using Remote Switched Port Analyzer (RSPAN), you can even send packets to another switch. RSPAN can be useful in data centers where a packet-capture device is permanently installed on one of many interconnected switches. With RSPAN, you can capture packets on switches other than the one with the sniffer attached (RSPAN configuration details are provided later in this section).
Configure SPAN with the monitor command.
switch(config)#monitor session 1 ?
destination SPAN destination interface or VLAN
filter SPAN filter
source SPAN source interface, VLAN
Having more than one SPAN session is useful when you have an IDS device on your network and you need to do a packet capture. The IDS device will require one SPAN session, while the packet capture will use another.
For a monitor session to be active, you must configure a source port or VLAN, and a destination port. Usually, I configure the destination port first because the packetcapture device is already attached. If you have port security set, you must disable it before you can use the port as a SPAN destination:
switch(config)#monitor session 1 destination interface g1/0/20
%Secure port can not be dst span port
Sessions can be numbered from 1 to 66, but you can only have two sessions configured at any given time on a 3750 switch. Here, I have two sessions configured (session 1 and session 10):
monitor session 1 source vlan 20 rx
monitor session 1 destination interface Gi1/0/10
!
monitor session 10 source vlan 10 rx
monitor session 10 destination interface Gi1/0/20
If you try to configure more than two SPAN sessions on a 3750 switch, you will get the following error:
switch(config)#monitor session 20 source int g1/0/10
% Platform can support a maximum of 2 source sessions
In this example, I’ve configured two VLANs to be the sources, both of which will have their packets reflected to interface Gi1/0/20:
monitor session 10 source vlan 20 rx
monitor session 10 source vlan 10
monitor session 10 destination interface Gi1/0/20
You can also monitor one or more interfaces. Multiple interfaces can be configured separately or on a single configuration line:
switch(config)#monitor session 11 source interface g1/0/11
switch(config)#monitor session 11 source interface g1/0/12
Entering the two preceding commands adds the following line to the configuration:
monitor session 11 source interface Gi1/0/11 – 12
The sources in a monitor session can be configured as either receive (rx), transmit (tx), or both. The default is both:
switch(config)#monitor session 1 source int g1/0/12 ?
, Specify another range of interfaces
– Specify a range of interfaces
both Monitor received and transmitted traffic
rx Monitor received traffic only
tx Monitor transmitted traffic only
<cr>
Interfaces should usually be monitored in both directions, while VLANs should be monitored in only one direction.
To see which SPAN sessions are configured or active, use the show monitor command:
swtich#show monitor
Displays the session info.
To disable monitoring on a specific SPAN, you can delete the entire monitor session, remove all the sources, or remove the destination. All monitor commands can be negated:
switch(config)#no monitor session 11 source interface Gi1/0/11 – 12
You can remove all local SPAN, all RSPAN, or all SPAN sessions as a group by adding the local, remote, or all keywords:
switch(config)#no monitor session ?
<1-66> SPAN session number
all Remove all SPAN sessions in the box
local Remove Local SPAN sessions in the box
remote Remove Remote SPAN sessions in the box
You should always remove your SPAN sessions when you no longer need them. SPAN takes up system resources, and there can be confusion if someone plugs a device into the SPAN destination port.
RSPAN works the same way that SPAN does, with the exception that the destination interface is on another switch. The switches must be connected with an RSPAN VLAN. To create an RSPAN VLAN, configure a VLAN and add the remote-span command:
switch-1(config)#vlan 777
switch-1(config-vlan)# remote-span
If you’re running VTP, you may not need to create the VLAN, but you will still need to configure it for RSPAN. In either case, the steps are the same. On the source switch, specify the destination as the RSPAN VLAN:
switch-1(config)#monitor session 11 destination remote vlan 777
You can enter a destination VLAN that has not been configured as an RSPAN VLAN, but, alas, it won’t work.
Now, on the destination switch, configure the same VLAN as an RSPAN VLAN. Once you’ve done that, configure a monitor session to receive the RSPAN being sent from the source switch:
switch-2(config)#vlan 777
switch-2(config-vlan)#remote-span
switch-2(config)#monitor session 11 source remote vlan 777
There is no requirement for the monitor session numbers to be the same, but as I like to say, simple is good. If you have not configured the source switch to be the RSPAN source, you will get an error:
switch-2(config)#monitor session 11 source remote vlan 777
% Cannot add RSPAN VLAN as source for SPAN session 11 as it is not a RSPAN Destination session
When using RSPAN, don’t use an existing trunk for your RSPAN VLAN. SPAN can create a large amount of traffic. When you’re monitoring VLANs composed of multiple gigabit interfaces, the SPAN traffic can easily overwhelm a single gigabit RSPAN link. Whenever possible, set up a dedicated RSPAN VLAN link between the switches.
MystaJoneS 