58-4
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 58 Configuring SPAN and RSPAN
About SPAN and RSPAN
Some features that can cause a packet to be dropped during receive processing have no effect on
SPAN; the destination port receives a copy of the packet even if the actual incoming packet is
dropped. These features include IP standard and extended input access control lists (ACLs), IP
standard and extended output ACLs for unicast and ingress QoS policing, VLAN maps, ingress QoS
policing, and policy-based routing. Switch congestion that causes packets to be dropped also has no
effect on SPAN.
• Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all
packets sent by the source interface after the switch performs all modification and processing. After
the packet is modified, the source sends a copy of each packet to the destination port for that SPAN
session. You can monitor a range of egress ports in a SPAN session.
Packets that are modified because of routing—for example, with a time-to-live (TTL) or
MAC-address modification—are duplicated at the destination port. On packets that are modified
because of QoS, the modified packet might not have the same DSCP (IP packet) or CoS (non-IP
packet) as the SPAN source.
Some features that can cause a packet to be dropped during transmit processing might also affect the
duplicated copy for SPAN. These features include VLAN maps, IP standard and extended output
ACLs on multicast packets, and egress QoS policing. In the case of output ACLs, if the SPAN source
drops the packet, the SPAN destination would also drop the packet. In the case of egress QoS
policing, if the SPAN source drops the packet, the SPAN destination might not drop it. If the source
port is oversubscribed, the destination ports have different dropping behavior.
• Both—In a SPAN session, you can monitor a single port series or a range of ports for both received
and sent packets.
Source Port
A source port (also called a monitored port) is a switched or routed port that you monitor for network
traffic analysis. In a single local SPAN session or RSPAN source session, you can monitor source port
traffic, such as received (Rx), transmitted (Tx), or bidirectional (both). The switch supports any number
of source ports (up to the maximum number of available ports on the switch) and any number of source
VLANs.
A source port has these characteristics:
• It can be any port type (for example, EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth).
• It can be monitored in multiple SPAN sessions.
• It cannot be a destination port.
• Each source port can be configured with a direction (ingress, egress, or both) to monitor. For
EtherChannel sources, the monitored direction would apply to all physical ports in the group.
• Source ports can be in the same or different VLANs.
• For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.
You can configure a trunk port as a source port. By default, all VLANs active on the trunk are monitored.
You can limit SPAN traffic monitoring on trunk source ports to specific VLANs by using VLAN
filtering. Only switched traffic in the selected VLANs is sent to the destination port. This feature affects
only traffic forwarded to the destination SPAN port and does not affect the switching of normal traffic.
This feature is not allowed in sessions with VLAN sources.
To Next Page
Loading...
Need help?
General
