Configuring SPAN On Cisco Catalyst

Switches - Monitor & Capture Network

Traffic/Packets
Written by Administrator on 28 January 2013. Posted in Cisco Switches - Catalyst Switch
Configuration
inShare

Being able to monitor your network traffic is essential when it comes to troubleshooting
problems, performing a security audit or even casually checking your network for suspicious
traffic.
Back in the old days whenever there was a need to monitor or capture network traffic, a hub
would be introduced somewhere in the network link and, thanks to the hubs inefficient
design, it would copy all packets incoming from one port out to all the rest of the ports,
making it very easy to monitor network traffic. Those interested in hub fundamentals can read
our Hubs & Repeaters article.
Of course switches work on an entirely different principle and do not replicate unicast
packets out of every port on the switch, but keep them isolated unless its a broadcast or
multicast.
Thankfully, monitoring network traffic on Cisco Catalyst switches is a straightforward
process and does not require the presence of a hub. The Cisco method is called Switched
Port Analyser also known as SPAN.

Understanding SPAN Terminology

Ingress Traffic: Traffic that enters the switch

Egress Traffic: Traffic that leaves the switch

Source (SPAN) port: A port that is monitored

Source (SPAN) VLAN: A VLAN whose traffic is monitored

Destination (SPAN) port: A port that monitors source ports. This is usually the point
to which a network analyser is connected.

Remote SPAN (RSPAN): When Source ports are not located on the same switch as
the Destination port. RSPAN is an advanced feature that requires a special VLAN to
carry the monitored traffic and is not supported by all switches. RSPAN explanation
and configuration will be covered in another article.

The network diagram above helps us understand the terminology and implementation of
SPAN.
Source SPAN ports are monitored for received (RX), transmitted (TX) or bidirectional (both)
traffic. Traffic entering or exiting the Source SPAN ports is mirrored to the Destination
SPAN port. Typically, you would connect a PC with a network analyser on the Destination
SPAN port, and configure it to capture and analyse the traffic.
The amount of information you can obtain from a SPAN session really depends on how well
the captured data can be interpreted and understood. A reliable Network Analyser will not
only show the captured packets but automatically diagnose problems such as TCP
retransmissions, DNS failures, slow TCP responses, ICMP redirect messages and much more.
These capabilities help any engineer to quickly locate network problems which otherwise
could not be easily found.

Basic Characteristics and Limitations of Source Port

A source port has the following characteristics:

It can be any port type such as EtherChannel, Fast Ethernet, Gigabit Ethernet and so
forth.

It can be monitored in multiple SPAN sessions.

It cannot be a destination port (thats where the packet analyser is connected)

Each source port can be configured with a direction (ingress, egress, or both) to
monitor. For EtherChannel sources, the monitored direction applies to all physical
ports in the group.

Source ports can be in the same or different VLANs.

For VLAN SPAN sources, all active ports in the source VLAN are included as source
ports.

Basic Characteristics and Limitations of Destination Port

Each SPAN session must have a destination port that receives a copy of the traffic from the
source ports and VLANs.
A destination port has these characteristics:

A destination port must reside on the same switch as the source port (for a local SPAN
session).

A destination port can be any Ethernet physical port.

A destination port can participate in only one SPAN session at a time.

A destination port in one SPAN session cannot be a destination port for a second
SPAN session.

A destination port cannot be a source port.

A destination port cannot be an EtherChannel group.

Limitations of SPAN on Cisco Catalyst Models

Following are the limitations of SPAN on various Cisco Catalyst switches:

Cisco Catalyst 2950 switches are only able to have one SPAN session active at a time
and can monitor source ports. These switches cannot monitor VLAN source.

Cisco Catalyst switches can forward traffic on a destination SPAN port in Cisco IOS
12.1(13)EA1 and later

Cisco Catalyst 3550, 3560 and 3750 switches can support up to two SPAN sessions at
a time and can monitor source ports as well as VLANs

The Catalyst 2970, 3560, and 3750 Switches do not require the configuration of a
reflector port when you configure an RSPAN session.

The Catalyst 3750 Switches support session configuration with the use of source and
destination ports that reside on any of the switch stack members.

Only one destination port is allowed per SPAN session and the same port cannot be a
destination port for multiple SPAN sessions. Therefore, you cannot have two SPAN
sessions that use the same destination port.

Configuring SPAN On Cisco Catalyst Switches

Our test-bed was a Cisco Catalyst 3550 Layer 3 switch, however, the commands used are
fully supported on all Cisco Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560E,
3750, 3750E and 4507R Series Switches.
The diagram below represents a typical network setup where there is a need to monitor traffic
entering (Ingress) and exiting (Egress) the port to which the router connects (FE0/1). This
strategically selected port essentially monitors all traffic entering and exiting our network.

Since router R1 connects to the 3550 Catalyst switch on port FE0/1, this port is configured as
the Source SPAN port. Traffic copied from FE0/1 is to be mirrored out FE0/24 where our
monitoring workstation is waiting to capture the traffic.

Once we have our network analyser setup and running, the first step is to configure
FastEthernet 0/1 as a source SPAN port:
Catalyst-3550(config)# monitor session 1 source interface fastethernet 0/1

Next, configure FastEthernet 0/24 as the destination SPAN port:

Catalyst-3550(config)# monitor session 1 destination interface fastethernet 0/24
After entering both commands, we noticed our destinations SPAN port LED (FE0/24) began
flashing in synchronisation with that of FE0/1s LED an expected behaviour considering all
FE0/1 packets were being copied to FE0/24.
Confirming the monitoring session and operation requires one simple command, show
monitor session 1:

To display the detailed information from a saved version of the monitor configuration for a
specific session, issue the show monitor session 1 detailcommand:

Catalyst-3550# show monitor session 1 detail

Notice how the Source Ports section shows Fa0/1 for the row named Both. This means that
we are monitoring both RX & TX packets for Fa0/1, while the Destination Port is set to
Fa0/24.
Turning to our network analyser, thanks to its predefined filters we were able to catch packets
to and from the worksation monitored:

This completes our discussion on SPAN configuration and how to monitor/capture packets on
a Cisco Catalyst switch. Upcoming articles will cover RSPAN and more advanced packet
capturing techniques using dedicated VLANs for captured traffic and other complex
scenarios.
Catalyst Switches That Support SPAN, RSPAN, and ERSPAN:
Catalyst Switches

SPAN
Support

RSPAN
Support

ERSPAN Support

No

No

Yes

Yes

Yes
Supervisor 720 with PFC3B or PFC3BXL
running Cisco IOS Software Release
12.2(18)SXE or later.
Supervisor 720 with PFC3A that has hardware
version 3.2 or later and running Cisco IOS
Software Release 12.2(18)SXE or later

Yes

No

No

Yes

Yes

No

Yes

Yes

No

Yes

Yes

No

Catalyst Express 500

Yes
Series

Catalyst 6500/6000
Series

Catalyst 5500/5000
Series
Catalyst 4900 Series
Catalyst 4500/4000
Series (includes
4912G)
Catalyst 3750 Metro
Series

Catalyst 3750 /
3750E Series
Catalyst 3560 /
3560E Series
Catalyst 3550 Series
Catalyst 3500 XL
Series
Catalyst 2970 Series
Catalyst 2960 Series
Catalyst 2955 Series
Catalyst 2950 Series
Catalyst 2940 Series
Catalyst 2948G-L3
Catalyst 2948G-L2,
2948G-GE-TX,
2980G-A
Catalyst 2900XL
Series
Catalyst 1900 Series

Yes

Yes

No

Yes

Yes

No

Yes

Yes

No

Yes

No

No

Yes
Yes
Yes
Yes
Yes
No

Yes
Yes
Yes
Yes
No
No

No
No
No
No
No
No

Yes

Yes

No

Yes

No

No

Yes

No

No