32-11
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 32 Configuring SPAN and RSPAN
Understanding Flow-Based SPAN
Understanding Flow-Based SPAN
You can control the type of network traffic to be monitored in SPAN or RSPAN sessions by using
flow-based SPAN (FSPAN) or flow-based RSPAN (FRSPAN), which apply access control lists (ACLs)
to the monitored traffic on the source ports. The FSPAN ACLs can be configured to filter IPv4, IPv6,
and non-IP monitored traffic.
You apply an ACL to a SPAN session through the interface. It is applied to all the traffic that is monitored
on all
interfaces in the SPAN session.The packets that are permitted by this ACL are copied to the SPAN
destination port. No other packets are copied to the SPAN destination port.
The original traffic continues to be forwarded, an
d any port, VLAN, and router ACLs attached are
applied. The FSPAN ACL does not have any effect on the forwarding decisions. Similarly, the port,
VLAN, and router ACLs do not have any effect on the traffic monitoring. If a security input ACL denies
a packet and it is not forwarded, the packet is still copied to the SPAN destination ports if the FSPAN
ACL permits it. But if the security output ACL denies a packet and it is not sent, it is not copied to the
SPAN destination ports. However, if the security output ACL permits the packet to go out, it is only
copied to the SPAN destination ports if the FSPAN ACL permits it. This is also true for an RSPAN
session.
You can attach three types of FSPAN ACLs to the SPAN session:
• IPv4 FSPAN ACL— filters only IPv4 packets.
• IPv6 FSPAN ACL— filters only IPv6 packets.
• MAC FSPAN ACL— filters only non-IP packets.
The security ACLs have higher priority than the FSP
AN ACLs on a switch. If FSPAN ACLs are applied,
and you later add more security ACLs that cannot fit in the hardware memory, the FSPAN ACLs that you
applied are removed from memory to allow space for the security ACLs. A system message notifies you
of this action, which is called unloading. When there is again space for the FSPAN ACLs to reside in
memory, they are added to the hardware memory on the switch. A system message notifies you of this
action, which is called reloading. The IPv4, IPv6 and MAC FSPAN ACLs can be unloaded or reloaded
independently.
If a VLAN-based FSPAN session configured on a stack cannot fit in the hardware memory on one or
mo
re switches, it is treated as unloaded on those switches, and traffic meant for the FSPAN ACL and
sourcing on that switch is not copied to the SPAN destination ports. The FSPAN ACL continues to be
correctly applied, and traffic is copied to the SPAN destination ports on the switches where the FSPAN
ACL fits in the hardware memory.
When an empty FSPAN ACL is attached, some hardw
are functions copy all traffic to the SPAN
destination ports for that ACL. If sufficient hardware resources are not available, even an empty FSPAN
ACL can be unloaded.
IPv4 and MAC FSPAN ACLs are supported on all featu
re sets. IPv6 FSPAN ACLs are supported only
in the advanced IP services feature set.
For information on configuring the switch for FSPAN and FRSPAN, see the “C
onfiguring FSPAN and
FRSPAN” section on page 32-24.
To Next Page
Loading...
Need help?
General
