You can analyze network traffic passing through ports or VLANs by using SPAN to send a copy of the traffic to another port on the switch hat has been connected to a network analyzer, monitoring or security device. SPAN copies (or mirrors) traffic received or sent (or both) on source ports or source VLANs to a destination port for analysis. SPAN does not affect the switching of network traffic on the source ports or VLANs.

Traffic monitoring in a SPAN session has these restrictions:

• Sources can be ports or VLANs, but you cannot mix source ports and source VLANs in the same session.
• The switch supports up to two source sessions.
• You can have multiple destination ports in a SPAN session, but no more than 64 destination ports per switch stack.
• SPAN sessions do not interfere with the normal operation of the switch. However, an oversubscribed SPAN destination, for example, a 100-Mb/s port monitoring a 1-Gb/s port, can result in dropped or lost packets.

The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP). However, when you enter the encapsulation replicate keywords when configuring a destination port, these changes occur:

• Packets are sent on the destination port with the same encapsulation—untagged, Inter-Switch Link (ISL), or IEEE 802.1Q—that they had on the source port.
• Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.

Therefore, a local SPAN session with encapsulation replicate enabled can have a mixture of untagged, ISL, and IEEE 802.1Q tagged packets appear on the destination port.

A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic analysis.

A source port has these characteristics:

• It can be monitored in multiple SPAN sessions.
• Each source port can be configured with a direction (ingress, egress, or both) to monitor.
• It can be any port type (for example, EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth).
• It can be an access port, trunk port, routed port, or voice VLAN port.
• It cannot be a destination port.
• Source ports can be in the same or different VLANs.
• You can monitor multiple source ports in a single session.

Using a VLAN as the source is called VSPAN. The SPAN interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.

VSPAN has these characteristics:

• All active ports in the source VLAN are included as source ports and can be monitored in either or both directions

Each local SPAN session destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the destination port, which usually has a network analyzer connected.

A destination port has these characteristics:

• For a local SPAN session, the destination port must reside on the same switch stack as the source port.
• When a port is configured as a SPAN destination port, the configuration overwrites the original port configuration. When the SPAN destination configuration is removed, the port reverts to its previous configuration.
• It can be any Ethernet physical port.
• It cannot be an EtherChannel group or a VLAN.
• It can participate in only one SPAN session at a time (a destination port in one SPAN session cannot be a destination port for a second SPAN session).
• The maximum number of destination ports in a switch stack is 64.

Configuring SPAN

monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]

monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]}

This example shows how to set up SPAN session 1 for monitoring source port traffic to a destination port. First, any existing SPAN configuration for session 1 is deleted, and then bidirectional traffic is mirrored from source Gigabit Ethernet port 1 to destination Gigabit Ethernet port 2, retaining the encapsulation method.

Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface gigabitethernet1/0/1
Switch(config)# monitor session 1 destination interface gigabitethernet1/0/2 encapsulation replicate

This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit Ethernet port 2.

Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source vlan 1 - 3 rx
Switch(config)# monitor session 2 destination interface Gigabitethernet1/0/2