Categories
Architecture CCNP Enterprise Core (350-401) Cisco

Local SPAN

The most basic form of packet capture, the destination of mirrored traffic configured by SPAN is another port on the local switch.

The source of the packet capture can be one of the following interfaces:

  • One or more specific switch ports
  • An entire port channel
  • All of the ports assigned to a VLAN

There are some considerations when setting up a local SPAN session

  • Most switches can support more than two SPAN sessions
  • The source port can not be re-used for more than one SPAN session
  • Source ports can be switch or routed ports
  • The destination can not be reused between multiple SPAN sessions
  • It is possible to saturate the destination port, for example a port channel being mirrored to a single destination port, or a 10Gbps port being mirrored to a 1Gbps port

Specifying a Source Port

The source port can be defined with the global configuration command monitor session <session-id> source.

Complete the command by choosing to mirror a interface or vlan. Finally complete the configuration line on whether to mirror received traffic with rx, transmitted traffic with tx, or both

monitor session 10 source interface GigabitEthernet0/0

If the port is a trunk port and you wish to only pick out a single VLAN, the following command can assist with that:

monitor session 10 filter vlan <vlan-id>

Specifying a Destination Port

The destination port is defined with the global configuration command

monitor session <session-id> destination interface <interface-id>

There a number of additional options that can be applied with setting the destination port.

The SPAN session with it’s default configuration copies traffic without any 802.1Q tags or Layer2 Protocols. Adding encapsulation replicate on as an option will include this additional data.

By default the port used for the destination only egresses mirror traffic but drops ingress traffic. Adding a dot1q vlan keyword on the end will expect any received traffic to be encapsulated with the VLAN ID specified. Adding untagged vlan will encapsulate any received traffic in the chosen VLAN.

Verifying the configuration

The configuration can be verified with the command show monitor session followed by the session ID

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.