38-2
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
78-13315-02
Chapter 38 Configuring SPAN and RSPAN
Understanding How SPAN and RSPAN Works
SPAN Session
A SPAN session is an association of a destination port with a set of source ports, configured with
parameters that specify the monitored network traffic. You can configure multiple SPAN sessions in a
switched network. SPAN sessions do not interfere with the normal operation of the switches. You can
enable or disable SPAN sessions with command-line interface (CLI) or SNMP commands. When
enabled, a SPAN session might become active or inactive based on various events or actions, and this
would be indicated by a syslog message. The “Status” field in the
show span
and
show rspan
commands
displays the operational status of a SPAN or RSPAN session.
A SPAN or RSPAN destination session remains inactive after system power up until the destination port
is operational. An RSPAN source session remains inactive until any of the source ports are operational
or the RSPAN VLAN becomes active.
Destination Port
A destination port (also called a
monitor port
) is a switch port where SPAN sends packets for analysis.
After a port becomes an active destination port, it does not forward any traffic except that required for
the SPAN session. By default, an active destination port disables incoming traffic (from the network to
the switching bus), unless you specifically enable the port. If incoming traffic is enabled for the
destination port, it is switched in the native VLAN of the destination port. The destination port does not
participate in spanning tree while the SPAN session is active. See the caution statement in the
“Configuring SPAN from the CLI” section on page 38-7
for information on how to prevent loops in your
network topology.
Only one destination port is allowed per SPAN session, and the same port cannot be a destination port
for multiple SPAN sessions. A switch port configured as a destination port cannot be configured as a
source port. EtherChannel ports cannot be SPAN destination ports.
If the trunking mode of a SPAN destination port is “on” or “nonegotiate” during SPAN session
configuration, the SPAN packets forwarded by the destination port have the encapsulation as specified
by the trunk type; however, the destination port stops trunking, and the
show trunk
command reflects
the trunking status for the port prior to SPAN session configuration.
Source Port
A source port is a switch port monitored for network traffic analysis. The traffic through the source ports
can be categorized as ingress, egress, or both. You can monitor one or more source ports in a single
SPAN session with user-specified traffic types (ingress, egress, or both) applicable for all the source
ports.
You can configure source ports in any VLAN. You can configure VLANs as source ports (
src_vlans
),
which means that all ports in the specified VLANs are source ports for the SPAN session.
Source ports are administrative (
Admin Source
) or operational (
Oper Source
) or both. Administrative
source ports are the source ports or source VLANs specified during SPAN session configuration.
Operational source ports are the source ports monitored by the destination port. For example, when
source VLANs are used as the administrative source, the operational source is all the ports in all the
specified VLANs.
The operational sources are always active ports. If a port is not in the spanning tree, it is not an
operational source. All physical ports in an EtherChannel source are included in operational sources if
the logical port is included in the spanning tree.