SPAN and RSPAN Commands

This chapter contains the following sections:

monitor session destination

To create a new Switched Port Analyzer (SPAN) or Remote SPAN (RSPAN) destination session, use the monitor session destination command in Global Configuration mode. To remove a destination session, use the no form of the command.

Syntax

monitor session session_number destination {{interface interface-id [network]} | {remote vlan vlan-id reflector-port interface-id} network}

no monitor session session_number destination

Parameters

  • session_number—Specify the session number identified with the SPAN, RSPAN or flow mirror session. The range is 1 to 4.

  • interface interface-id—Specify the destination interface for the SPAN, RSPAN or flow mirror session (Ethernet port). When the source interface is a RSPAN VLAN the RSPAN VLAN_ID is removed from all frames copied to the interface.

  • network—Specify that the destination port acts also as a network port.

Default Configuration

No SPAN and RSPAN sessions are configured.

Command Mode

Global Configuration mode

User Guidelines

Use the monitor session session_number destination interface interface-id, to create a SPAN, local flow mirror.

If the network keyword is not defined only mirrored traffic sent on a destination port and all input traffic is discard and a value of DOWN is advertised as its operational status to all applications running on it.

A destination port configured without the network keyword has the following limitations:

  • UDLD cannot be enabled on the port.

  • 802.1x cannot be enabled on the port.

A port cannot be configured as destination port with the network keyword if one the following conditions is true:

  • It belongs to the source VLAN

  • It belongs to the remote VLAN

Please, do not add the destination port to the source.

A destination port with the network keyword cannot be configured on an edge port (a port having one of the vlan-mapping modes.

Mirrored traffic is sent to queue number 1 of the destination port.

Use the no monitor session session_number destination command to remove one destination session.

Examples

Example 1. The following example configures a SPAN session consisting from 3 source and one destination session. The first source session copies traffic for both directions from the source port gi1/0/2, the second source session copies bridges traffic from VLAN 100, and the third source session copies traffic for received on the source port gi1/0/3. The destination session defines port gi1/0/1 as the destination port. 

switchxxxxxx(config)# monitor session 1 source interface gi1/0/2 both
switchxxxxxx(config)# monitor session 1 source vlan 100
switchxxxxxx(config)# monitor session 1 source interface gi1/0/3 rx
witchxxxxxx(config)# monitor session 1 destination interface gi1/0/1

monitor session source

To create a new Switched Port Analyzer (SPAN) or Remote SPAN (RSPAN) source session, use the monitor session source command in Global Configuration mode. To remove a source session, use the no form of the command.

Syntax

monitor session session_number source {interface interface-id [both | rx | tx]} | {vlan vlan-id} | {remote vlan vlan-id}

no monitor session [session_number] source [{interface interface-id} | {vlan vlan-id} | {remote vlan vlan-id}]

Parameters

  • session_number—Specify the session number identified with the SPAN or RSPAN session. The range is 1 to 4.

  • interface interface-id—Specify the source interface for a SPAN or RSPAN session (Ethernet port).

  • both, rx, tx—Specify the traffic direction to monitor. If you do not specify a traffic direction, the source interface sends both transmitted and received traffic.

  • vlan vlan-id—Specify the SPAN source interface as a VLAN ID. In this case only a value of 1 is allowed for the session_number argument.

  • remote vlan vlan-id—Specify the source RSPAN source VLAN ID.

Default Configuration

No SPAN and RSPAN sessions are configured.

Command Mode

Global Configuration mode

User Guidelines

Use the monitor session session_number source interface interface-id [both | rx | tx] command, to create a SPAN or RSPAN start source session to monitor traffic that enters or leaves a source port.

Use the monitor session session_number source vlan vlan-id command, to create a SPAN or start RSPAN source session to monitor traffic that bridged into a source VLAN.

Use the monitor session session_number source remote vlan vlan-id command, to create a final RSPAN source session to monitor traffic that passed via a RSPAN VLAN.

A SPAN or RSPAN session consists from up to 8 sources and one destination with the same session number.

Each monitor session source command defines one source port or VLAN. Different monitor session source commands must define different sources. A new command with the same session number and the same source overrides the previous defined one.

Up to 8 sources can be defined in one session.

If a packet is mirrored by both the port-based ingress mirroring mechanism, and one of the other ingress mirroring mechanisms, the selected session is the one with the higher session number.

All definitions of different source ports for the same source session must be of the same type: SPAN, start RSPAN start, or RSPAN final.

A source port cannot be a destination port.

A source port cannot be the a OOB port.

The source interface in a RSPAN source switch can not be a membership of the remote VLAN.

Use the no monitor session session_number source {interface interface-id} | {vlan vlan-id} | {remote vlan vlan-id} command to remove one source.

Use the no monitor session session_number source command to remove all sources ports of the given source session.

Examples

Example 1. The following example configures a SPAN session consisting from 3 source and one destination session. The first source session copies traffic for both directions from the source port gi1/0/2, the second source session copies bridges traffic from VLAN 100, and the third source session copies traffic for received on the source port gi1/0/3. The destination session defines port gi1/0/1 as the destination port. 

switchxxxxxx(config)# monitor session 1 source interface gi1/0/2 both
switchxxxxxx(config)# monitor session 1 source vlan 100
switchxxxxxx(config)# monitor session 1 source interface gi1/0/3 rx
switchxxxxxx(config)# monitor session 1 destination interface gi1/0/1

remote-span

To configure a virtual local area network (VLAN) as a RSPAN remote VLAN, use the remote-span command in VLAN Configuration mode. To return to default, use the no form of this command.

Syntax

remote-span

no remote-span

Parameters

This command has no arguments or keywords.

Default Configuration

A VLAN is not a RSPAN remote VLAN.

Command Mode

VLAN Configuration mode

User Guidelines

Use the remote-span command to define a VLAN as a RSPAN remote VLAN.

Only one Remote VLAN can be defined per switch.

The Remote VLAN must be created manually before configuring of the remote-span command.

Guest VLAN cannot be configured as a Remote VLAN.

All traffic into a RSPLAN VLAN is tagged and MAC learning is disabled in a RSPAN VLAN.

The remote-span command verifies that all ports of the configured VLAN are egress tagged ports and disables MAC learning. The no remote-span command resets MAC learning.

Note. The membership of a RSPAN remote VLAN depended where it is defined:

  • Source or Start switch—It is recommended that the RSPAN remote VLAN does not have any memberships.

  • Intermediate switch—It is recommended to remove the RSPAN remote VLAN from trunk ports not used for passing mirrored traffic to avoid superfluous flooding. Usually, a RSPAN remote VLAN contains two ports.

  • Destination or Final switch—The RSPAN remote VLAN should contain memberships on which the mirrored traffic via this VLAN is arrived. The destination interface cannot be a membership of this VLAN.

Examples

Example 1. The following example shows how to configure a RSPAN remote VLAN in a source switch: 

switchxxxxxx(config)# vlan 2
switchxxxxxx(config-vlan)# remote-span
switchxxxxxx(config-vlan)# exit
switchxxxxxx(config)# monitor session 1 source interface gi1/0/2 both
switchxxxxxx(config)# monitor session 1 destination remote vlan 2 reflector-port gi1/0/1

Example 2. The following example shows how to configure a RSPAN remote VLAN in a final switch: 

switchxxxxxx(config)# interface gi1/0/3
switchxxxxxx(config-if)# switchport mode trunk
switchxxxxxx(config-if)# switchport trunk allowed none
switchxxxxxx(config-if)# switchport trunk allowed add 2
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# vlan 2
switchxxxxxx(config-vlan)# remote-span
switchxxxxxx(config-vlan)# exit
switchxxxxxx(config)# monitor session 1 source remote vlan 2
switchxxxxxx(config)# monitor session 1 destination interface gi1/0/1

Example 3. The following example shows how to configure a RSPAN remote VLAN in an intermediate switch: 

switchxxxxxx(config)# interface range gi1/0/3,4
switchxxxxxx(config-if)# switchport mode trunk
switchxxxxxx(config-if)# switchport trunk allowed none
switchxxxxxx(config-if)# switchport trunk allowed add 2
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# vlan 2
switchxxxxxx(config-vlan)# remote-span
switchxxxxxx(config-vlan)# exit

show monitor session

To display information about Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) sessions on the switch, use the show monitor command in User EXEC mode.

Syntax

show monitor session [session_number]

Parameters

  • session_number—Specify the session number identified with the SPAN or RSPAN session. The range is 1 to 7. If the argument is not defined information about all sessions are displayed.

Default Configuration

This command has no default settings.

Command Mode

User EXEC mode

User Guidelines

Use the show monitor session session_number command to display information about one session.

Use the show monitor session command to display information about all sessions

Examples

Example 1. The following example displays information about all SPAN sessions defined into the switch: 

switchxxxxxx> show monitor session
Session 1
  Type: SPAN
  Source: gi1/0/2, rx only
  Source: VLAN 100
  Source: flow mirrow, policy-map: alpha class-maps: ip-http,  ipv6-http
  Destination: gi1/0/1, network port

Field Definitions:

  • Type—The type of the session.

  • Source—A source of the session. The following options are supported:

    Source: interface-id, traffic-direction(rx only,tx only, or both) 

      The Source is an interface.

    Source: vlan vlan-id

      The Source is a VLAN.

    Source: remote vlan vlan-id

    The Source is a RSPAN VLAN (in the RSPAN session final switch).

    Source: flow mirrow, policy-map: policy-map-name, class-maps: class-map-name1, class-map-name2

     The Source is a flow mirror, only attached policy-names are displayed.

  • Destination—A destination of the session. The following options are supported:

    Destination: interface-id

    The Destination is an interface, regular forwarding on the interface is not supported.

    Destination: interface-id, network 

    The Destination is an interface, regular forwarding on the interface is supported.

    Destination: RSPAN VLAN vlan-id, reflector-port interface-id

    The switch is the first switch in the RSPAN session, regular forwarding on the interface is not supported.

    Destination: RSPAN VLAN vlan-id, reflector-port interface-id, network 

    The switch is the first switch in the RSPAN session, regular forwarding on the interface is supported.

show vlan remote-span

To display a list of remote Switched Port Analyzer (RSPAN) VLANs, use the show vlan remote-span command in User EXEC mode.

Syntax

show vlan remote-span

Parameters

This command has no arguments or keywords

Default Configuration

This command has no default settings.

Command Mode

User EXEC mode

Examples

Example. This example shows how to display a list of remote SPAN VLANs: 

switchxxxxxx> show vlan remote-span
Remote SPAN VLAN: 20