How to configure port monitoring (SPAN) on a Catalyst 2940, 2950, 2955, 2970, 3550 or 3750 series switch

Resolution

You can analyze network traffic passing through ports by using Switched Port Analyzer (SPAN). This sends a copy of the traffic to another port on the switch that has been connected to a SwitchProbe device, another Remote Monitoring (RMON) probe or security device. SPAN mirrors receive or transmit (or both) traffic on one or more source ports to a destination port for analysis.

Remote SPAN (RSPAN) extends SPAN by enabling RMON of multiple switches across your network. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. The SPAN traffic from the sources is copied onto the RSPAN VLAN through a reflector port and then forwarded over trunk ports carrying the RSPAN VLAN to any RSPAN destination session monitoring the RSPAN VLAN.

SPAN and RSPAN do not affect the switching of network traffic on source ports. A copy of the packets received or sent by the source interfaces are sent to the destination interface. Except for traffic that is required for the SPAN or RSPAN session, reflector ports and destination ports do not receive or forward traffic.

These are configuration examples:

• This example shows how to set up a SPAN session (session 1) for monitoring source port traffic to a destination port. First, any existing SPAN configuration for session 1 is cleared and then bidirectional traffic is mirrored from source port 1 to destination port 10: 

  Switch(config)# no monitor session 1
  Switch(config)# monitor session 1 source interface fastEthernet0/1
  Switch(config)# monitor session 1 destination interface fastEthernet0/10 encapsulation dot1q
  Switch(config)# end
  

         
• This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that does not support 802.1q encapsulation: 
  Switch(config)# monitor session 1 destination interface Fa 0/5 ingress vlan 5  

• This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports 802.1q encapsulation: 

  Switch(config)# monitor session 1 destination interface Fa 0/5 encapsulation dot1q ingress vlan 5

         
• This example shows how to disable ingress traffic forwarding on the destination port: 

  Switch(config)# monitor session 1 destination interface Fa 0/5 encapsulation dot1q

         
• This example shows how to clear any existing RSPAN configuration for session 1, configure RSPAN session 1 to monitor multiple source interfaces, and configure the destination RSPAN VLAN and the reflector-port: 

  Switch(config)# no monitor session 1
  Switch(config)# monitor session 1 source interface fastEthernet0/10 tx
  Switch(config)# monitor session 1 source interface fastEthernet0/2 rx
  Switch(config)# monitor session 1 source interface fastEthernet0/3 rx
  Switch(config)# monitor session 1 source interface port-channel 102 rx
  Switch(config)# monitor session 1 destination remote vlan 901 reflector-port fastEthernet0/1
  Switch(config)# end 

         
• This example shows how to configure VLAN 901 as the source remote VLAN and port 5 as the destination interface: 

  Switch(config)# monitor session 1 source remote vlan 901
  Switch(config)# monitor session 1 destination interface fastEthernet0/5
  Switch(config)# end 

     

For more information about configuring SPAN, refer to these documents:

• For an introduction to the recent features of SPAN that have been implemented, refer to Configuring the Catalyst Switched Port Analyzer (SPAN) Feature.     
• For the Catalyst 2940 series, refer to Configuring Span.        
• For the Catalyst 2950 series, refer to Configuring SPAN and RSPAN.        
• For the Catalyst 2970 series, refer to Configuring Span and RSPAN.        
• For the Catalyst 3550 series, refer to Configuring SPAN and RSPAN.        
• For the Catalyst 3750 series, refer to Configuring SPAN and RSPAN.