20-3
Catalyst 2360 Switch Software Configuration Guide
OL-19808-01
Chapter 20 Configuring SPAN
Understanding SPAN
•
When SPAN is enabled, each packet being monitored is sent twice, once as normal traffic and once
as a monitored packet. Therefore monitoring a large number of ports or VLANs could potentially
generate large amounts of network traffic.
•
You can configure a SPAN session on disabled ports; however, a SPAN session does not become
active unless you enable the destination port and at least one source port or VLAN for that session.
Monitored Traffic
A SPAN session can monitor these traffic types:
•
Receive (Rx) SPAN—The goal of receive (or ingress) SPAN is to monitor as much as possible all
the packets received by the source interface or VLAN before any modification or processing is
performed by the switch. A copy of each packet received by the source is sent to the destination port
for that SPAN session.
•
Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all
the packets sent by the source interface after all modification and processing is performed by the
switch. A copy of each packet sent by the source is sent to the destination port for that SPAN session.
The copy is provided after the packet is modified.
•
Both—In a SPAN session, you can also monitor a port or VLAN for both received and sent packets.
This is the default.
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does
not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco
Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning
Tree Protocol (STP), and Port Aggregation Protocol (PAgP). However, when you enter the
encapsulation replicate
keywords when configuring a destination port, these changes occur:
•
Packets are sent on the destination port with the same encapsulation—untagged or IEEE
802.1Q—that they had on the source port.
•
Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.
Therefore, a local SPAN session with encapsulation replicate enabled can have a mixture of untagged
and IEEE 802.1Q-tagged packets appear on the destination port.
Switch congestion can cause packets to be dropped at ingress source ports, egress source ports, or SPAN
destination ports. In general, these characteristics are independent of one another. For example:
•
A packet might be forwarded normally but dropped from monitoring due to an oversubscribed
SPAN destination port.
•
An ingress packet might be dropped from normal forwarding, but still appear on the SPAN
destination port.
•
An egress packet dropped because of switch congestion is also dropped from egress SPAN.
In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN
destination port. For example, a bidirectional (both Rx and Tx) SPAN session is configured for the Rx
monitor on port A and Tx monitor on port B. If a packet enters the switch through port A and is switched
to port B, both incoming and outgoing packets are sent to the destination port. Both packets are the same.
Source Ports
A source port (also called a
monitored port
) is a port that you monitor for network traffic analysis. In a
local SPAN session source session, you can monitor source ports or VLANs for traffic in one or both
directions. The switch supports any number of source ports (up to the maximum number of available