Switched Port Analyzer (SPAN) allows for a protocol analyzer such as a sniffer to passively inspect traffic generated by a VLAN(s) or specific source port(s). SPAN is flexible enough that the source can be a single port or multiple ports, or VLAN traffic copied to a user-defined SPAN destination port. For example, any traffic that is received or transmitted by ports 10/3-5 is also forwarded to port 10/1. (See Example 12-11.) The source and destination port must be on the same switch for SPAN, also known as Local SPAN.
Switch1 (enable) set span 10/3-5 10/1 Destination : Port 10/1 Admin Source : Port 10/3-5 !List of all ports that are monitored Oper Source : Port 10/3 !List of Admin ports that are currently active on the network Direction : transmit/receive !Incoming/Outgoing traffic on monitored ports that are sent to destination port Incoming Packets: disabled !By default normal traffic is disabled on the destination port. If enabled, it does not support spanning tree for the vlan the port is associated with- Be careful with enabling this command. Option first became available in 4.2 OS Learning : enabled !MAC address learning is enabled for incoming packets. The option was introduced in 5.3 OS for Catalyst 6500) Multicast : enabled Filter : - !filter option is only available with Catalyst 4000 and 6000 family Status : active
Example 12-12 illustrates monitoring a VLAN rather than a specific port. Notice all the ports that are associated with the VLAN are part of the Admin Source list.
Switch1 (enable) set span 3 10/1 Destination : Port 10/1 Admin Source : VLAN 3 Oper Source : Port 10/24,10/47,15/1 Direction : transmit/receive !SPAN can be configured to allow only transmit, receive, or both Incoming Packets: disabled Learning : enabled Multicast : enabled Filter : - Status : active
Only traffic from VLAN 3 coming from ports 10/3-5 is copied to port 10/1. (See Example 12-13.) If the filter option was not enabled, all other VLAN traffic from the trunk port would also get copied to a SPAN destination port.
Switch1 (enable) set span 10/3-5 10/1 filter 3
Destination : Port 10/1
Admin Source : Port 10/3-5
Oper Source : Port 10/3
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Multicast : enabled
Filter : 3
Status : active
However, if the goal is to receive traffic from multiple VLANs and retain their associated VLAN tags, the destination port must be configured for trunking. All traffic from trunk 1/2 is also copied to 10/1, as shown in Example 12-14.
Switch1 (enable) set trunk 10/1 isl Port(s) 10/1 trunk type set to isl. Switch1 (enable) set trunk 10/1 desirable Port(s) 10/1 trunk mode set to desirable. Switch1 (enable) set span 1/2 10/1
The Create option allows for multiple SPAN sessions to be created, as shown in Example 12-15. All traffic from port 1/2 is copied on port 10/1. Furthermore, all traffic from 10/2 is copied on port 10/11 as well.
Switch1 (enable) set span 1/2 10/1 Switch1 (enable) set span 10/2 10/11 create