SPAN (Switch Port Analyzer) or port mirroring is a Cisco Catalyst switch feature that allows all traffic from a source port or VLAN to be copied to a destination interface. The packets can be captured using the following methods:
- Local Switched Port Analyzer: Captures local network traffic on a switch and sends a copy to a local port connected to a traffic analyzer.
- Remote Switched Port Analyzer (RSPAN): Captures network traffic on a remote switch and sends a copy of the network traffic to the local switch via Layer 2 to a local port connected to a traffic analyzer.
- Encapsulated Remote Switched Port Analyzer (ERSPAN): Captures network traffic on a remote switch and sends a copy of the network traffic to the local system via Layer 3 to a local port connected to a traffic analyzer.
Local Switched Port Analyzer (SPAN)
A local SPAN session has everything configured on a single switch. The mirrored traffic destination can be at the local ports. The packet capture source can be one of the following:
- One or more distinct switch ports
- Port channel or EtherChannel
- VLANs
Some switches can support two SPAN sessions, and newer switches can support more. The source SPAN ports can either be switched or routed. However, two SPAN sessions can’t have the same destination port and source port. If the source ports receive more data than the destination can send, the destination port may become saturated, and packet loss can happen.
Local SPAN Configuration
The source ports are specified by entering the following command in the global configuration:
'monitor session <session-id> source {interface <interface-id> | vlan <vlan-id>} [rx | tx | both]'
The session-id enables the switch to associate source ports with destination ports. Multiple interfaces or VLANs can be specified using a comma or a hyphen to indicate a range. The traffic direction can be optionally defined as well. By default, SPAN traffic is captured for both directions. The rx keyword captures traffic received on that source, and the tx keyword captures traffic transmitted by that source.
A trunk port can be configured as a source port to capture traffic from all VLANs that pass through it. It could generate a lot of data and add noise to the network traffic analysis tool. The VLANs on the capture may be filtered using the command:
monitor session <session-id> filter vlan <vlan-range>'
Using the topology above as an example, Gig0/0/0 is the source port. The switch configuration will be:
Switch1(config)#monitor session 1 source interface gig0/0/0 Switch1(config)#monitor session 1 destination interface gig0/0/1
For the destination port, it is configured on the global configuration using the command:
monitor session <session-id> destination interface <interface-id> [encapsulation {dot1q [ingress {dot1q vlan <vlan-id> | untagged vlan <vlan-id> | vlan <vlan-id>}| replicate [ingress {dot1q vlan <vlan-id> | untagged vlan <vlan-id>]}} | ingress]
There are several nested options. Typically, a SPAN session copies the packets without 802.1Q VLAN tags or Layer 2 protocols. That information is included when using the encapsulation replicate keywords:
monitor session <session-id> destination interface <interface-id> [encapsulation replicate]
The destination SPAN port usually receives traffic and rejects ingress traffic. Sometimes, connectivity to the network analyzer may be necessary. In such cases, the following global configuration command is used:
monitor session <session-id> destination interface <interface-id> ingress {dot1q vlan <vlan-id> | untagged vlan <vlan-id>}
The dot1q keyword implies packets to be encapsulated with the provided VLAN ID, whereas the untagged keyword permits incoming packets and associates them with the defined VLAN ID.
The SPAN session information can be verified using the command:
Switch1#show monitor session 1 Session 1 --------- Type: Local Session Source Ports : Both: gig0/0/0 Destination Ports: gig0/0/1 Encapsulation: Native Ingress: Disabled
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
