468
Configuring SPAN and RSPAN
Information About SPAN and RSPAN
There can be more than one source session and more than one destination session active in the same RSPAN VLAN.
There can also be intermediate switches separating the RSPAN source and destination sessions. These switches need
not be capable of running RSPAN, but they must respond to the requirements of the RSPAN VLAN (see RSPAN VLAN,
page 471).
Traffic monitoring in a SPAN session has these restrictions:
Sources can be ports or VLANs, but you cannot mix source ports and source VLANs in the same session.
The switch supports up to 4 source sessions (local SPAN and RSPAN source sessions). You can run both a local
SPAN and an RSPAN source session in the same switch. The switch supports a total of 68 source and RSPAN
destination sessions.
You can have multiple destination ports in a SPAN session, but no more than 64 destination ports.
You can configure two separate SPAN or RSPAN source sessions with separate or overlapping sets of SPAN source
ports and VLANs. Both switched and routed ports can be configured as SPAN sources and destinations.
SPAN sessions do not interfere with the normal operation of the switch. However, an oversubscribed SPAN
destination, for example, a 10-Mb/s port monitoring a 100-Mb/s port, can result in dropped or lost packets.
When RSPAN is enabled, each packet being monitored is transmitted twice, once as normal traffic and once as a
monitored packet. Therefore monitoring a large number of ports or VLANs could potentially generate large amounts
of network traffic.
You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active unless you
enable the destination port and at least one source port or VLAN for that session.
The switch does not support a combination of local SPAN and RSPAN in a single session. That is, an RSPAN source
session cannot have a local destination port, an RSPAN destination session cannot have a local source port, and an
RSPAN destination session and an RSPAN source session that are using the same RSPAN VLAN cannot run on the
same switch.
Monitored Traffic Types for SPAN Sessions
Receive (Rx) SPAN—The goal of receive (or ingress) SPAN is to monitor as much as possible all the packets received
by the source interface or VLAN before any modification or processing is performed by the switch. A copy of each
packet received by the source is sent to the destination port for that SPAN session.
Packets that are modified because of routing or quality of service (QoS)—for example, modified Differentiated
Services Code Point (DSCP)—are copied before modification.
Features that can cause a packet to be dropped during receive processing have no effect on ingress SPAN; the
destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include
IP standard and extended input access control lists (ACLs), ingress QoS policing, VLAN ACLs, and egress QoS
policing.
Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by
the source interface after all modification and processing is performed by the switch. A copy of each packet sent by
the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified.
Packets that are modified because of routing—for example, with modified time-to-live (TTL), MAC-address, or QoS
values—are duplicated (with the modifications) at the destination port.
Features that can cause a packet to be dropped during transmit processing also affect the duplicated copy for SPAN.
These features include IP standard and extended output ACLs and egress QoS policing.
Both—In a SPAN session, you can also monitor a port or VLAN for both received and sent packets. This is the default.
To Next Page
Loading...
Need help?
General