I’ve had the opportunity of configuring and supporting SPAN ports with a couple of different WEB based applications.The first was a product called Websense formerly SurfControl, and the other was Cisco’s Layer 4 Web Security Appliance or WSA traffic monitor. Recently I had the opportunity of moving our production SPAN configuration from an aging 3750 stack to our new Cisco Nexus 6001’s core Switches. If your not familiar with spanning ports, or monitoring ports it basically the ability to duplicate frames and send them to a monitoring device such as the the ones mentioned above for further analyzing. 

When traffic has been spanned it can be analyzed by passing or duplicating traffic using a spanned or monitored port to send a copy of the traffic to another port on the Switch.The destination port can be connected to a Switch Probe device or other Remote Monitoring or RMON probe security device. The span or monitored port mirrors received or sent (or both) traffic on one or more source ports to a destination port for analysis.

Common Applications

  • IPS / IDS
  • Layer 4 Traffic monitors
  • VoIP Call Recording
  • Traffic Analyzers

SPAN

When a source and destination port or VLAN reside on the same Switch its considered to be a SPAN configuration. A SPAN configuration is localized. Basically the SPAN exist on a single switch or fabric or trunk. 

RSPAN

When the destination port or VLAN resides on a remote Switch its considered to be a remote SPAN or RSPAN. In RSPAN mode the VLAN must exist across both Switches via Trunking.This is another important reason to configure your trunking ports consistently and accurately throughout your enterprise. The configuration, and placement or your Spanning Tree Root Bridge, and VTP Server are vary important..! 

  • Range 1 to 66

Restrictions & Conditions

  • The destination port configuration is overwritten. 
  • If the destination is part of an Etherchannel is will be removed
  • The destination ports do not support 802.1x authentication or private VLANS.
  • The destination ports do not support Layer 2 protocols such at VTP, DTP, CDP
  • The source can be either a port or VLAN, but not a mix of the two.
  • Up to 64 SPAN destination ports can be configured on a Switch
  • Switched and routed ports can be configured as SPAN source or destination
  • Avoid overloading the SPAN destination port.
  • A SPAN destination cannot be a source port, and source cannot be destination
  • The SPAN destination port ceases to act as a normal port

Lets configure a simple SPAN on a Switch called SW1

SW1#configure terminal
SW1(config)#monitor session 1 source interface gi1/0/10
SW1(config)#monitor session 1 destination interface gi1/0/11 ingress untagged vlan 222
SW1(config)#end
SW1#

Lets take a quick look at session 1 and its members that we defined above.

SW1#show monitor session 1 

Session 1
---------
Type                 : Local Session
Source Ports         :
Both                : Gi1/0/10
Destination Ports   : Gi1/0/11
Encapsulation        : Native
Ingress              : Enabled

Now lets take a more detailed look at session 1 and its members. 

SW1#show monitor session 1 detail

Session 1
---------
Type                : Local Session
Source Ports        :
RX Only             : None
TX Only             : None
Both                : Gi1/0/10
Source VLANs        :
RX Only             : None
TX Only             : None
Both                : None
Source RSPAN VLAN   : None
Destination Ports   : Gi1/0/11
Encapsulation       : Native
Ingress             : Enabled, default VLAN = 222
Filter VLANs        : None
Dest RSPAN VLAN     : None

I hope you found this quick and simple post on Port Monitoring helpful and informative. Be sure to let me know what you think by leaving suggestions, and feedback in the comments section below. You can find out more about these and other articles be checking out recent posts and archives. To learn more about me be sure to check out the About page. And as always thanks again for visiting The Packet.