Local Switched Port Analyzer

Switched Port Analyzer (SPAN) allows for a protocol analyzer such as a sniffer to passively inspect traffic generated by a VLAN(s) or specific source port(s). SPAN is flexible enough that the source can be a single port or multiple ports, or VLAN traffic copied to a user-defined SPAN destination port. For example, any traffic that is received or transmitted by ports 10/3-5 is also forwarded to port 10/1. (See Example 12-11.) The source and destination port must be on the same switch for SPAN, also known as Local SPAN.

Example 12-11. Monitoring Multiple Ports

Switch1 (enable) set span 10/3-5 10/1

Destination     : Port 10/1

Admin Source    : Port 10/3-5 

!List of all ports that are monitored

Oper Source     : Port 10/3 

!List of Admin ports that are currently active on the network

Direction       : transmit/receive 

!Incoming/Outgoing traffic on monitored ports that are sent to destination port

Incoming Packets: disabled 

!By default normal traffic is disabled on the destination port. If enabled, it does not

 support spanning tree for the vlan the port is associated with- Be careful with enabling

 this command. Option first became available in 4.2 OS

Learning        : enabled 

!MAC address learning is enabled for incoming packets. The option was introduced in 5.3 OS

 for Catalyst 6500)

Multicast       : enabled 

Filter          : - 

!filter option is only available with Catalyst 4000 and 6000 family

Status          : active

Example 12-12 illustrates monitoring a VLAN rather than a specific port. Notice all the ports that are associated with the VLAN are part of the Admin Source list.

Example 12-12. Monitoring VLAN 3

Switch1 (enable) set span 3 10/1

Destination     : Port 10/1

Admin Source    : VLAN 3

Oper Source     : Port 10/24,10/47,15/1

Direction       : transmit/receive 

!SPAN can be configured to allow only transmit, receive, or both

Incoming Packets: disabled

Learning        : enabled

Multicast       : enabled

Filter          : -

Status          : active

Only traffic from VLAN 3 coming from ports 10/3-5 is copied to port 10/1. (See Example 12-13.) If the filter option was not enabled, all other VLAN traffic from the trunk port would also get copied to a SPAN destination port.

Example 12-13. SPAN Filtering Enabled

Switch1 (enable) set span 10/3-5 10/1 filter 3

Destination     : Port 10/1

Admin Source    : Port 10/3-5

Oper Source     : Port 10/3

Direction       : transmit/receive

Incoming Packets: disabled

Learning        : enabled

Multicast       : enabled

Filter          : 3

Status          : active

However, if the goal is to receive traffic from multiple VLANs and retain their associated VLAN tags, the destination port must be configured for trunking. All traffic from trunk 1/2 is also copied to 10/1, as shown in Example 12-14.

Example 12-14. Monitoring a Trunk

Switch1 (enable) set trunk 10/1 isl

Port(s) 10/1 trunk type set to isl.

Switch1 (enable) set trunk 10/1 desirable

Port(s) 10/1 trunk mode set to desirable.

Switch1 (enable) set span 1/2 10/1

The Create option allows for multiple SPAN sessions to be created, as shown in Example 12-15. All traffic from port 1/2 is copied on port 10/1. Furthermore, all traffic from 10/2 is copied on port 10/11 as well.

Example 12-15. Using the Create Option

Switch1 (enable) set span 1/2 10/1

Switch1 (enable) set span 10/2 10/11 create