Configuring SPAN
Different models of Cisco switches have different capabilities regarding the number of ports that can be dedicated simultaneously as SPAN ports, restrictions on how VLAN-separated traffic is monitored, and so on. They also differ in the way the SPAN feature is configured, mainly because there are two different command-line interfaces—one for IOS-based switches, and the other for CatOS switches (supervisor engines of high-end switches, to be more precise).
We will start from the simpler IOS-based interface, which is applicable to the 2900/3500 series and those 4000/6000 switches that run the integrated Cisco IOS feature set (the supervisor engine in native mode).
Configuring an IOS-Based Switch for SPAN
With IOS-based switches, there are two configuration types depending on which switch model you are working on. A simpler SPAN feature is used on series 2900/3500 switches, while a more powerful SPAN feature set can be applied to 4000 or 6000 series switches running an integrated Cisco IOS command set. We will discuss both, starting with a simpler SPAN configuration.
Configuring 2900/3500 Series Switches
The Catalyst 2900/3500 series have basic port spanning features, while the IOS-based SPAN configuration is initiated using just one main command:
port monitor
This command is used in the configuration of a port dedicated to the SPAN feature (also called a monitor port or SPAN destination port—essentially, the port where traffic is copied to), and the parameter
-
The SPAN destination port and all the ports it monitors must belong to the same VLAN.
-
If the parameter
is not specified, all ports from this VLAN (to which a monitor port belongs) are monitored.
There are also some restrictions regarding which ports can act as SPAN destination ports (all restrictions are described in the corresponding model documentation):
-
The monitor port must belong to the same VLAN as the monitored ports. It is not possible to change VLAN membership on the monitor port or ports being monitored.
-
The monitor port cannot be a trunk port or dynamic-access port. On the other hand, a static-access port can monitor a VLAN on a trunk, dynamic-access, or multi-VLAN port. The VLAN monitored will be the VLAN to which the monitor port belongs.
-
An ATM port cannot be a monitor port.
-
The monitor port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
-
The monitor port cannot have more security enabled.
-
The monitor port cannot be a multi-VLAN port.
-
Port monitoring does not work if both the monitor and the monitored ports are protected ports.
Note The monitor port does not run STP (Spanning Tree Protocol—the word "span" in this term is not related to SPAN ports), so it is advisable not to connect this port to anything but IDS systems. If, for example, it is connected to a hub or bridge so that it creates a loop in the network, it can affect packet forwarding heavily.
Let's take a look at the following situation shown in Figure 9.4. We have a Catalyst 2900 switch with ports Fa0/1, Fa0/2, and Fa0/3 belonging to a VLAN 1, and ports Fa0/4, Fa0/5, and Fa0/6 belonging to a VLAN 2. Port Fa0/1 will be used to monitor VLAN 1 (source ports Fa0/2 and Fa0/3), and port Fa0/4 will monitor VLAN 2 (ports Fa0/5 and Fa0/6).
Before SPAN ports are configured, the corresponding part of switch configuration appears as the following:
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
switchport access vlan 2
!
interface FastEthernet0/5
switchport access vlan 2
!
interface FastEthernet0/6
switchport access vlan 2
!
This simply states that ports Fa0/1 to Fa0/3 belong to the default VLAN 1, while ports Fa0/4 to Fa0/6 belong to VLAN 2.
In order to configure port Fa0/1 as a monitor port, we need to put it in the configuration mode and enter the list of ports to be monitored:
sw2900(config)# int Fa0/1
sw2900(config-if)# port monitor fastethernet 0/2
sw2900(config-if)# port monitor fastethernet 0/3
sw2900(config-if)# ^Z
These commands state that each packet received or transmitted through ports Fa0/2 and Fa0/3 will be copied to port Fa0/1. If there are any other ports in VLAN 1, they will not be monitored. If we want to monitor the whole VLAN 2, we would simply use these commands:
sw2900(config)# int Fa0/1
sw2900(config-if)# port monitor
sw2900(config-if)# ^Z
When SPAN source ports are not specified in the port monitor command, traffic from the whole VLAN is monitored. If you try to specify as a source a port from another VLAN, you will get an error message saying it is impossible.
A similar configuration applies to VLAN 2 and resembles the following:
!
interface FastEthernet0/1
port monitor FastEthernet0/2
port monitor FastEthernet0/3
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
port monitor FastEthernet0/3
port monitor FastEthernet0/6
switchport access vlan 2
!
interface FastEthernet0/5
switchport access vlan 2
!
interface FastEthernet0/6
switchport access vlan 2
!
You can check which SPAN sessions are configured on a switch by using either the show running or show port monitor commands. The latter displays a list of monitor ports and corresponding SPAN sources for each SPAN port.
Switch#show port monitor
Monitor Port Port Being Monitored
------------------------------------------
FastEthernet0/1 FastEthernet0/2
FastEthernet0/1 FastEthernet0/3
FastEthernet0/4 FastEthernet0/5
FastEthernet0/4 FastEthernet0/6
| Note | The switches previously described always copy both ingress (incoming) and egress (outgoing) packets from monitored ports to a monitoring port. So, if a packet is switched between two monitored ports, it will be seen twice by an IDS—after it enters the switch and before it leaves the switch. |
Configuring a 4000/6000 Series IOS-Based Switch
The configuration of 4000/6000 series IOS-based switches resembles the preceding configuration, but their SPAN features are more complicated and flexible. They differ from 2900/3500 spanning port configurations in two main ways:
-
It is possible to have source ports not belonging to the same VLAN (that is, there is no rule that the monitor and all monitored ports should belong to one VLAN), and
-
It is possible to configure a direction of the monitored traffic—for example, monitor only ingress packets or only egress or both.
A configuration of each SPAN session consists, in this case, of two tasks: designating source ports and destination ports. There are restrictions on how many SPAN destination ports a switch can have. For the 4000 series, it is two ingress sessions and four egress sessions. A session monitoring traffic in both directions counts as one ingress and one egress session. SPAN destination interfaces cannot receive any ingress traffic, so if you want to send anything from the IDS back to the network, you will need another connection on a non-spanning port.
SPAN source ports are configured using the command:
[no] monitor session session_number source interface type/num | vlan
vlan_ID [rx | tx | both]
This command specifies source ports or whole source VLANs for a specific SPAN session and also the direction in which traffic from this source will be monitored. Parameter rx turns on monitoring for ingress packets, tx turns it on for egress packets, while both works for both directions. If no direction is entered in this command, then both is assumed. The prefix no, as usual, deletes an already configured source. For example:
Sw4000(config)# monitor session 1 source interface fa2/1 tx
Sw4000(config)# monitor session 1 source interface fa2/2 rx
Sw4000(config)# monitor session 2 source vlan 1 rx
It is possible to use several VLAN IDs in one command, for example:
Sw4000(config)# monitor session 2 source vlan 1, 5 - 7
You cannot mix source ports and source VLANs in one session—each session can have as a source either ports or VLANs, but not both. SPAN destinations are configured with the command:
[no] monitor session session_number destination interface type/num
For example,
Sw4000(config)# monitor session 1 destination interface fa3/38
After source and destination ports for the session are configured, the switch starts to copy packets between the source port and a destination port.
There is a possibility to use a trunk interface as a SPAN source and then filter only traffic from specific VLANs you are interested in to the destination port. To accomplish this, first designate the trunk port as a source port for a session and then use the following command:
[no] monitor session session_number filter vlan vlan_ID
For example (if Fa2/1 is the trunk port):
Sw4000(config)# monitor session 3 source interface fa2/1 tx
Sw4000(config)# monitor session 3 filter vlan 3 - 5
It is not possible to have a source VLAN and a trunk port with filtering in the same session, although it is possible to have trunk and non-trunk ports in one session. To disable a specific session, use the following command:
no monitor session
Finally, you can view the active SPAN configuration with the command:
show monitor session{detail}
It displays SPAN sources, destinations, and filters. For example:
Sw400# show monitor session 3
Session 3
----------
Source Ports:
RX Only: Fa2/1
TX Only: Fa2/2
Both: None
Source VLANs:
RX Only: None
TX Only: None
Both: None
Destination Ports: Fa3/38
Filter VLANs: 3-5
This output describes a situation where session 3 is configured with source ports Fa2/1 (in ingress direction) and Fa2/2 (in egress direction) and the destination for this session is port Fa3/38. From the trunk port Fa2/1, only traffic belonging to VLANs 3 to 5 is monitored.
| Note | Cisco documentation sometimes uses the abbreviations PSPAN and VSPAN. Their meaning is simple: PSPAN means Port-based SPAN—a case when sources for a session are ports, and VSPAN is a VLAN SPAN, when session sources are VLANs. |