Cisco switches support a feature known as SPAN (short for Switch Port Analyzer) which allows traffic received on an interface or VLAN to be sent to a single physical port. This feature can be tremendously useful for troubleshooting packet delivery across networks, deep packet inspection by security appliances, TCP SYN/ACK monitoring, and many other functions.
The SPAN destination options have improved since it was originally released. Cisco SPAN technically implies that the source and destination ports are local to the same switch. If the traffic destination is on another remote switch, Remote SPAN (RSPAN) is used. For RSPAN to function, a dedicated RSPAN VLAN must be configured between the local and remote switch to carry the monitored traffic. Finally, if the destination requires crossing one or more IP networks, then Encapsulated Remote SPAN (ERSPAN) can be used.
SPAN, RSPAN, & ERSPAN Basics
SPAN sources include at least one physical port or at least one VLAN on a switch. The destination port is configured locally on the same switch. Once configured, the SPAN source traffic is delivered to the SPAN destination port.
RSPAN source rules are the same as SPAN; sources include at least one physical port or at least one VLAN on a switch. The difference is that the destination is the configured RSPAN VLAN, not a local physical port.The RSPAN VLAN must be extended across the entire switched path between the source switch and the switch that contains the destination port. Verify the RSPAN VLAN is allowed and forwarding on all forwarding trunk connections between the source and destination.
ERSPAN builds upon RSPAN by encapsulating RSPAN traffic and creating a generic routing encapsulation (GRE) tunnel to route over an IP transport. ERSPAN was introduced in IOS-XE which runs on specific routing-capable platforms like the ASR 1000, Catalyst 6500, 7600, and the Nexus family of data center switches.All SPAN types allow a wide range of source ports including switch ports, routed ports, trunk ports, access ports, and EtherChannel (portchannel) ports. Speaking of EtherChannels, both the EtherChannel interface itself or individual member ports can be used as the source. When a VLAN is used as the source, all active interfaces within the VLAN are are monitored. If interfaces are added or removed, the participating interfaces are dynamically updated.
SPAN, RSPAN, and ERSPAN require several conditions in order for traffic to be monitored.
- SPAN sources can be one or more physical ports OR a single VLAN, not a mix of the two.
- A SPAN source port cannot also be a destination port. Likewise, a destination SPAN port cannot be a source port.
- Only one SPAN/RSPAN/ERSPAN session can mirror traffic to a single destination port. No sharing destination ports.
- When trunk ports are used as the SPAN source, traffic from all VLANs is monitored by default. The optional filter vlan command can be added to limit which VLANs on the trunk will be monitored.
SPAN Transmit & Receive Considerations
SPAN, RSPAN, and ERSPAN support three different monitoring modes: transmitted, received, and both. The default operation is to monitor both the traffic exiting (transmit) and entering (receiving) a source port or VLAN. Each source can optionally be modified to only capture transmit or receive traffic.
Receive means all traffic entering a source switch port or VLAN. The traffic will be be copied and sent to the SPAN destination BEFORE any modifications (like ACL/VACL filter, QoS, or policing) occurs.
Transmit means all traffic leaving a source switch port or VLAN. The traffic will be be copied and sent to the SPAN destination AFTER any modifications (like ACL/VACL filter, QoS, or policing) occurs. This means that the SPAN transmit traffic that is forwarded to the SPAN destination may not contain all transmit traffic – depending on local policies applied.
SPAN also discards certain types of control-plane traffic by default. SPAN/RSPAN sessions typically do not include CDP, Spanning Tree BPDUs, VTP, DTP, and PAgP frames. If you need that traffic included in the monitored session, the encapsulation replicate command should be configured.
SPAN Destination Restrictions
SPAN, RSPAN, and ERSPAN share common destination port restrictions and conditions. The following list contains the most important:
- A SPAN destination port cannot also be a source port or be a member of a source VLAN.
- When a destination port is specified in the configuration, the existing interface configuration is overwritten. When the destination port is removed from the SPAN configuration, the original interface configuration is restored.
- SPAN destination ports do not support control-plane protocols like CDP, Spanning Tree, VTP, or DTP.
- Destination ports are generally incompatible with layer 2 security features like port security and private VLANs. 802.1x authentication is also unsupported.
Simple SPAN Configuration Example
The first SPAN configuration will build a monitored session that captures all traffic on interface FastEthernet 1/0/20 and mirror that to interface FastEthernet 1/0/25. This is a typical configuration used for simple application traffic troubleshooting at a local site.
MDF1#show monitor session all No SPAN configuration is present in the system.MDF1#configure terminalEnter configuration commands, one per line. End with CNTL/Z.MDF1(config)#monitor session 1 source interface fa1/0/20MDF1(config)#monitor session 1 destination interface fa1/0/25MDF1(config)#exitMDF1#show monitor session allSession 1———Type : Local SessionSource Ports : Both : Fa1/0/20Destination Ports : Fa1/0/25 Encapsulation : Native Ingress : Disabled
Complex SPAN Configuration Example
In this example we configure the local switch to send all captured traffic to interface fa1/0/26 that meets the following requirements:
- Sent on interface FastEthernet 1/0/21.
- Received on interface FastEthernet 1/0/22.
- Sent and received on trunk interface FastEthernet 1/0/23.
- Encapsulation protocol traffic should be preserved in the SPAN.
- VLANs 10, 50, and 99 should not be monitored on trunk interface FastEthernet 1/0/23.
MDF1(config)#monitor session 10 source interface fa1/0/21 txMDF1(config)#monitor session 10 source interface fa1/0/22 rxMDF1(config)#monitor session 10 source interface fa1/0/23MDF1(config)#monitor session 10 filter vlan 10MDF1(config)#monitor session 10 filter vlan 50MDF1(config)#monitor session 10 filter vlan 99MDF1(config)#monitor session 10 destination interface fa1/0/26 encapsulation replicateMDF1#show monitor sess 10Session 10———-Type : Local SessionSource Ports : RX Only : Fa1/0/22 TX Only : Fa1/0/21 Both : Fa1/0/23Destination Ports : Fa1/0/26 Encapsulation : DOT1Q Ingress : DisabledFilter VLANs : 10,50,99
RSPAN Configuration Example
ERSPAN is configured very similarly to traditional SPAN. In this example, source traffic from two different IDF switches will send monitored traffic to destination port FastEthernet 1/0/48 on switch MDF1. The monitored traffic will use RSPAN VLAN 400 to as a transport between the IDF and MDF switches.
The configuration will monitor the following traffic:
- IDF1 – all traffic received on VLAN 20,21,and 22.
- IDF1 – all traffic sent and received on VLAN 99.
- IDF2 – all traffic received on VLAN 1
Notice in the RSPAN configuration above that different session IDs are used on each of the three switches. The session ID is only locally relevant, so using different SPAN session IDs (or the same) is acceptable.
IDF1#configure terminalIDF1(config)#vlan 400IDF1(config-vlan)#remote spanIDF1(config-vlan)#exitIDF1(config)#monitor session 2 source vlan 20-22 rxIDF1(config)#monitor session 2 source vlan 99IDF1(config)#monitor session 2 destination remote vlan 400IDF1(config)#exit…IDF2#configure terminalIDF2(config)#vlan 400IDF2(config-vlan)#remote spanIDF2(config-vlan)#exitIDF2(config)#monitor session 3 source vlan 1 rxIDF2(config)#monitor session 3 destination remote vlan 400IDF2(config)#exit…MDF1#configure terminalMDF1(config)#vlan 400MDF1(config-vlan)#remote spanMDF1(config-vlan)#exitMDF1(config)#monitor session 40 source remote vlan 400MDF1(config)#monitor session 40 destination interface fa1/0/48MDF1(config)#exit
MDF1#show monitor session 40Session 40———-Type : Remote Destination SessionSource RSPAN VLAN : 400Destination Ports : Fa1/0/48 Encapsulation : Native Ingress : Disabled
ERSPAN Configuration Example
In this example, ASR1 is configured to monitor traffic transmitted out interface Gig0/0/0. The monitored traffic will be encapsulated in GRE by ASR1 and routed to ASR2. The capture stream is then delivered to interface Gig2/0/1 on ASR2.
Note that the ERSPAN source configuration requires a no shutdown to activate the session. If the destination interface is shutdown, the SPAN session will also not come up. After the no shut command is issued on the ERSPAN source session and destination interface, the SPAN session will come up as well.
ASR1(config)#monitor session 1 type erspan-source ASR1(config-mon-erspan-src)#source interface gi0/0/0 txASR1(config-mon-erspan-src)#no shutdown ASR1(config-mon-erspan-src)#destination ASR1(config-mon-erspan-src-dst)#erspan-id ? <1-1023> Erspan IDASR1(config-mon-erspan-src-dst)#erspan-id 501ASR1(config-mon-erspan-src-dst)#ip address 10.40.100.10ASR1(config-mon-erspan-src-dst)#origin ip address 172.16.10.1ASR1(config-mon-erspan-src-dst)#exitASR1(config-mon-erspan-src)#exit
ASR2(config)#monitor session 11 type erspan-destinationASR2(config-mon-erspan-dst)#destination interface gi2/0/1ASR2(config-mon-erspan-dst)#no shutASR2(config-mon-erspan-dst)#sourceASR2(config-mon-erspan-dst-src)#erspan-id 501ASR2(config-mon-erspan-dst-src)#ip address 10.40.100.10ASR2(config-mon-erspan-dst-src)#exit
To show the status of a SPAN, RSPAN, or ERSPAN session, issue the show monitor session ID command. Here is an example of the show monitor session output of ASR1 from the ERSPAN source configuration above.
ASR1#show monitor session 1Session 1———Type : ERSPAN Source SessionStatus : Admin EnabledSource Ports : TX Only : Gi0/0/0Destination IP Address : 10.40.100.10Destination ERSPAN ID : 501Origin IP Address : 172.16.10.1