26-4
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 26 Configuring SPAN
Understanding SPAN
In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN
destination port. For example, a bidirectional (both Rx and Tx) SPAN session is configured for the Rx
monitor on port A and Tx monitor on port B. If a packet enters the switch through port A and is switched
to port B, both incoming and outgoing packets are sent to the destination port. Both packets are the same.
Source Ports
A source port (also called a
monitored port
) is a switched port that you monitor for network traffic
analysis. In a local SPAN session, you can monitor source ports or VLANs for traffic in one or both
directions. The switch supports any number of source ports (up to the maximum number of available
ports on the switch) and any number of source VLANs (up to the maximum number of VLANs
supported). However, the switch supports a maximum of two sessions with source ports or VLANs, and
you cannot mix ports and VLANs in a single session.
A source port has these characteristics:
•
It can be monitored in multiple SPAN sessions.
•
Each source port can be configured with a direction (ingress, egress, or both) to monitor.
•
It can be any port type (for example, EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth).
•
For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a
physical port as it participates in the port channel.
•
It can be an access port, trunk port, or voice VLAN port.
•
It cannot be a destination port.
•
Source ports can be in the same or different VLANs.
•
You can monitor multiple source ports in a single session.
Source VLANs
VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. The SPAN
source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.
VSPAN has these characteristics:
•
All active ports in the source VLAN are included as source ports and can be monitored in either or
both directions.
•
On a given port, only traffic on the monitored VLAN is sent to the destination port.
•
If a destination port belongs to a source VLAN, it is excluded from the source list and is not
monitored.
•
If ports are added to or removed from the source VLANs, the traffic on the source VLAN received
by those ports is added to or removed from the sources being monitored.
•
You cannot use filter VLANs in the same session with VLAN sources.
•
You can monitor only Ethernet VLANs.