Trunk port as a destination for SPAN session

Mahmoud Nossair · ‎04-15-2014

Can we make a trunk port as a destination for SPAN session? If yes, how

rnoonan01 · ‎04-15-2014

Of course you can. It will be configured the same as an access port:

monitor session 1 destination int g0/24

However be aware of the following:

Destination Port

Each local SPAN session destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source port.

The destination port has these characteristics:

•It must reside on the same switch as the source port (for a local SPAN session).

•It can be any Ethernet physical port.

•It cannot be a source port or a reflector port.

•It cannot be an EtherChannel group or a VLAN.

•It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.

•The port does not transmit any traffic except that required for the SPAN session.

•If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.

•It does not participate in spanning tree while the SPAN session is active.

•When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP, or LACP).

•No address learning occurs on the destination port.

•A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it could become congested. This could affect traffic forwarding on one or more of the source ports.

Mahmoud Nossair · ‎04-15-2014

Well, if i did so, the trunk port will goes into "monitoring" mode and i will loose the connectivity to other switches that connects to the trunk port,

So how i configure the trunk port as SPAN destination while i keep the connectivity to other switches through this port active?

rasmus.elmholt · ‎05-23-2018

Hi
The trunk port won't be able to transmit user traffic at the same time it is a monitor destination port.
If you want to move a SPAN session across multiple switches take a look at the RSPAN feature.

klouthan · ‎05-23-2018

I think the OP meant that the trunk was passing other unrelated vlans other than the one they wanted to be a monitor destination.

At least that is what I was trying to do. I trunk to my mac mini and pass different vlans to different virtual hosts. I was trying to set up one of the vlans as a sniffer interface on the mac mini. In the end, I just ran another wire, used the normal local span from one physical port to another and that got me where I wanted to be.

However, it really would be nice to be able to span into a monitor vlan on a trunk that contains other traffic.

rasmus.elmholt · ‎05-28-2018

Hi
I normally do the same as you do. Run another wire and monitor that one.
But I actually think the RSPAN feature will automatically send all SPAN traffic out on the RSPAN VLAN. And if your host supports passing that traffic to a specific host it should work.

As far as I remember the reason you need to configure remote-span on the VLAN is to disable the normal MAC learning, and make sure it forwards all traffic out all trunks. But I could be wrong.

Poonam Garg · ‎04-16-2014

one more thing i would like to add.

If the monitor session destination port is a trunk, you should also use keyword ‘encapsulation dot1q’. If you do not, packets will be sent on the interface in native format.

c3550(config)#monitor session 1 destination interface fa0/24 encapsulation dot1q

If you configure a SPAN destination as a trunk port, it will be able to capture all vlan tagged data.

"Please rate helpful posts"

klouthan · ‎05-23-2018

So the answer seems to be "yes, you can use a trunk port as a destination." However the answer is also, "no you cannot use a trunk port as a destination" if you actually want to use the trunked port for anything else besides monitoring.