The most basic form of packet capture, the destination of mirrored traffic configured by SPAN is another port on the local switch.
The source of the packet capture can be one of the following interfaces:
- One or more specific switch ports
- An entire port channel
- All of the ports assigned to a VLAN
There are some considerations when setting up a local SPAN session
- Most switches can support more than two SPAN sessions
- The source port can not be re-used for more than one SPAN session
- Source ports can be switch or routed ports
- The destination can not be reused between multiple SPAN sessions
- It is possible to saturate the destination port, for example a port channel being mirrored to a single destination port, or a 10Gbps port being mirrored to a 1Gbps port
Specifying a Source Port
The source port can be defined with the global configuration command
monitor session <session-id> source.
Complete the command by choosing to mirror a
vlan. Finally complete the configuration line on whether to mirror received traffic with
rx, transmitted traffic with
monitor session 10 source interface GigabitEthernet0/0
If the port is a trunk port and you wish to only pick out a single VLAN, the following command can assist with that:
monitor session 10 filter vlan <vlan-id>
Specifying a Destination Port
The destination port is defined with the global configuration command
monitor session <session-id> destination interface <interface-id>
There a number of additional options that can be applied with setting the destination port.
The SPAN session with it’s default configuration copies traffic without any 802.1Q tags or Layer2 Protocols. Adding
encapsulation replicate on as an option will include this additional data.
By default the port used for the destination only egresses mirror traffic but drops ingress traffic. Adding a
dot1q vlan keyword on the end will expect any received traffic to be encapsulated with the VLAN ID specified. Adding u
ntagged vlan will encapsulate any received traffic in the chosen VLAN.
Verifying the configuration
The configuration can be verified with the command
show monitor session followed by the session ID