49-4
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 49 Configuring SPAN, RSPAN and the Mini Protocol Analyzer
Understanding How the Mini Protocol Analyzer Works
•
When a VLAN is cleared, it is removed from the source list for the VSPAN sessions.
•
A VSPAN session is disabled if the Admin source VLANs list is empty.
•
The inactive VLANs are not allowed for the VSPAN configuration.
•
A VSPAN session is made inactive if any of the source VLANs become the RSPAN VLANs.
Trunk VLAN Filtering
Trunk VLAN filtering is analysis of network traffic on a selected set of VLANs on the trunk source ports.
You can combine trunk VLAN filtering with the other source ports that belong to any of the selected
VLANs, and you can also use trunk VLAN filtering for RSPAN. Based on the traffic type (ingress,
egress, or both), SPAN sends a copy of the network traffic in the selected VLANs to the destination ports.
Use trunk VLAN filtering only with the trunk source ports. If you combine trunk VLAN filtering with
the other source ports that belong to the VLANs that are not included in the selected list of filter VLANs,
SPAN includes only the ports that belong to one or more of the selected VLANs in the operational
sources.
When a VLAN is cleared, it is removed from the VLAN filter list. A SPAN session is disabled if the
VLAN filter list becomes empty.
Trunk VLAN filtering is not applicable to the VSPAN sessions.
SPAN Traffic
All network traffic, including the multicast and bridge protocol data unit (BPDU) packets, can be
monitored using SPAN (RSPAN does not support monitoring of BPDU packets or Layer 2 protocol packets
such as CDP, DTP, and VTP). Multicast packet monitoring is enabled by default.
In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN
destination ports. For example, a bidirectional (both ingress and egress) SPAN session is configured for
sources a1 and a2 to a destination port d1. If a packet enters the switch through a1 and gets switched to
a2, both the incoming and outgoing packets are sent to destination port d1. Both packets would be the
same (if a Layer 3 rewrite occurs, the packets are different). For the RSPAN sessions with the sources
that are distributed in multiple switches, the destination ports might forward multiple copies of the same
packet.
Understanding How the Mini Protocol Analyzer Works
The Mini Protocol Analyzer copies network traffic from a source port (see the
“Source Port” section on
page 49-2
for an explanation of a source port). A Mini Protocol Analyzer session differs from a SPAN
session in that the copied source port traffic from a Mini Protocol Analyzer session travels over the
switch backplane where it is written to an output file. By default, the output file is stored on the flash
memory of the switch. No destination port is required for the Mini Protocol Analyzer.
Once the file is created, you open and view the file using the Ethereal Network Protocol Analyzer. The
Ethereal Network Protocol Analyzer is open source software and is available from
http://www.ethereal.com
.
You specify a single port as the source port. The source port can be either an access port or a trunk port.
You cannot specify a VLAN as a source port. The Mini Protocol Analyzer also captures double tagged
frames on dot1qtunnel, PAgP and LACP channel ports.